ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] Followup to your reply on the IETF-SMTP mailing list

2021-05-25 11:35:55
from [Viktor Dukhovni] [Permanent Link] 
On Tue, May 25, 2021 at 12:40:01PM +0200, Kaspar Etter wrote:


On 24 May 2021, at 12:43, Alessandro Vesely <vesely(_at_)tana(_dot_)it> wrote:



And the beauty of TLSA records is that the MX operator maintains them. All 
I
have to do as a domain owner is to deploy/enable DNSSEC on my domain.


You're right.  I assumed the TLSA record was not a CNAME.  I guess you mean:

_25._tcp.my-domain.example. IN CNAME _25._tcp.MX-operator.example.


No, I meant that DANE-aware ESMTP clients first resolve the MX
indirection and look for TLSA records on the “target/MX” domain.


Indeed, e.g. this is how it works form ~1.2 million domains that are
MX-hosted by one.com MX hosts.  The hosted domain just needs to be
DNSSEC-signed and to point its MX records at the provider.  The DANE
TLSA RRs and all responsibility for managing them are on the MX host side:

    simonvikstrom.se. IN MX 10 mx1.pub.mailpod7-cph3.one.com. ; NoError AD=1
    simonvikstrom.se. IN MX 10 mx2.pub.mailpod7-cph3.one.com. ; NoError AD=1
    simonvikstrom.se. IN MX 10 mx3.pub.mailpod7-cph3.one.com. ; NoError AD=1
    ;
    mx1.pub.mailpod7-cph3.one.com. IN A 185.164.14.86 ; NoError AD=1
    _25._tcp.mx1.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 
3b8e75c279f1dda9ca462b79077ba25b63f4a016d01e3fbbca6ab6620ae04421 ; NoError AD=1
    _25._tcp.mx1.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 
ab91ea8a9ae477de45828410679aa1e6c290b3a28835f47e3eac9d0bd1894c2f ; NoError AD=1
    ;
    mx2.pub.mailpod7-cph3.one.com. IN A 185.164.14.87 ; NoError AD=1
    _25._tcp.mx2.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 
3b8e75c279f1dda9ca462b79077ba25b63f4a016d01e3fbbca6ab6620ae04421 ; NoError AD=1
    _25._tcp.mx2.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 
ab91ea8a9ae477de45828410679aa1e6c290b3a28835f47e3eac9d0bd1894c2f ; NoError AD=1
    ;
    mx3.pub.mailpod7-cph3.one.com. IN A 185.164.14.88 ; NoError AD=1
    _25._tcp.mx3.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 
3b8e75c279f1dda9ca462b79077ba25b63f4a016d01e3fbbca6ab6620ae04421 ; NoError AD=1
    _25._tcp.mx3.pub.mailpod7-cph3.one.com. IN TLSA 3 1 1 
ab91ea8a9ae477de45828410679aa1e6c290b3a28835f47e3eac9d0bd1894c2f ; NoError AD=1

-- 
    Viktor.

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles, Sam Varshavchik
Next by Date:  Re: [ietf-smtp] Should we update an RFC if people refuse to implement parts of it ?, John Levine
Previous by Thread:  Re: [ietf-smtp] Followup to your reply on the IETF-SMTP mailing list, Kaspar Etter
Next by Thread:  Re: [ietf-smtp] Terminology, was Followup to your reply on the IETF-SMTP mailing list, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]