headers
Alfred Hönes | 1 Apr 2009 16:40
Picon

draft-morris-dnsop-dnssec-key-timing-00

Hello,
I have studied your I-D, draft-morris-dnsop-dnssec-key-timing-00
and find it a very useful exposition.

I have (A) one point for discussion and (B) a few nits to polish.

(A)

The draft generally assumes a single active key used for zone
signing (or as a KSK for secure delegation).

IIRC, the core DNSSEC specifications call out for one set of
signatures *per algorithm supported in a zone*.

Since currently crypto algorithm agility is a hot topic
(e.g. transition to SHA-2 and ECDSA), it should be worth
being considered in the draft.  The important detail is that,
due to long transition phases to be expected for validating
resolvers, there will be long periods of coexistence of
signatures for secure zones that are deemed worth the
algorithm transition, and hence the common operational need
for more than one 'active' key.

My first impression is that the algorithms in the draft could be
(and should be) easily applied unchanged *per signature algorithm*.
Is that true?

Thoughts?

(B) Editorial nits:
(Continue reading)

Permalink | Reply | 5 comments |
headers
Ondřej Surý | 10 Apr 2009 09:57
Picon
Favicon
Gravatar

"MX 0 ." standard way of saying "we don't do email" ?

Hi,

I have just encountered strange thing:

> > > security.eu.debian.org mail is handled by 0 .
> >
> > I am not sure if pointing MX record to other peoples zone is good idea.
> > And the root zone has it's own deal of DoS attack even without random
> > MXes pointing into it.
>
> "MX 0 ." is the standard way of saying "we don't do email".

Does anybody have an experience with that? How different MTAs behave?
How does bots behave? My opinion is that it can trigger IN A(AAA) requests
to a root zone in some cases, but there could be RFC I am not aware of which
defines this thing as "standard".

Ondrej
--
Ondrej Sury
technicky reditel/Chief Technical Officer
-----------------------------------------
CZ.NIC, z.s.p.o.  --  .cz domain registry
Americka 23,120 00 Praha 2,Czech Republic
mailto:ondrej.sury <at> nic.cz  http://nic.cz/
sip:ondrej.sury <at> nic.cz tel:+420.222745110
mob:+420.739013699     fax:+420.222745112
-----------------------------------------


_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 3 comments |
headers
Stephane Bortzmeyer | 10 Apr 2009 10:10
Picon

Re: "MX 0 ." standard way of saying "we don't do email" ?

On Fri, Apr 10, 2009 at 09:57:14AM +0200,
 Ond?ej Surý <ondrej.sury <at> nic.cz> wrote 
 a message of 77 lines which said:

> > "MX 0 ." is the standard way of saying "we don't do email".

Bullshit.

> How different MTAs behave?

Postfix does not ask the root, it stops after it had the MX:

Apr 10 10:08:48 aetius postfix/smtp[32380]: warning: valid_hostname: empty hostname
Apr 10 10:08:48 aetius postfix/smtp[32380]: warning: malformed domain name in resource data of MX record
for security.eu.debian.org: 
Apr 10 10:08:48 aetius postfix/smtp[32380]: 0FA6094E35:
to=<doesnotexist <at> security.eu.debian.org>, relay=none, delay=0.05, delays=0.04/0.01/0/0,
dsn=5.4.4, status=bounced (Name service error for name=security.eu.debian.org type=MX: Malformed
or unexpected name server reply)

> there could be RFC I am not aware of which defines this thing as
> "standard".

There is no standard way to say "I don't want to receive email"
(unfortunately).

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 2 comments |
headers
Mark Andrews | 10 Apr 2009 10:29

Re: "MX 0 ." standard way of saying "we don't do email" ?


In message <20090410081050.GA13790 <at> nic.fr>, Stephane Bortzmeyer writes:
> On Fri, Apr 10, 2009 at 09:57:14AM +0200,
>  Ond?ej Sur=FD <ondrej.sury <at> nic.cz> wrote =
> 
>  a message of 77 lines which said:
> 
> > > "MX 0 ." is the standard way of saying "we don't do email".
> 
> Bullshit.
> 
> > How different MTAs behave?
> 
> Postfix does not ask the root, it stops after it had the MX:
> 
> Apr 10 10:08:48 aetius postfix/smtp[32380]: warning: valid_hostname: empty =
> hostname
> Apr 10 10:08:48 aetius postfix/smtp[32380]: warning: malformed domain name =
> in resource data of MX record for security.eu.debian.org: =
> 
> Apr 10 10:08:48 aetius postfix/smtp[32380]: 0FA6094E35: to=3D<doesnotexist <at> =
> security.eu.debian.org>, relay=3Dnone, delay=3D0.05, delays=3D0.04/0.01/0/0=
> , dsn=3D5.4.4, status=3Dbounced (Name service error for name=3Dsecurity.eu.=
> debian.org type=3DMX: Malformed or unexpected name server reply)
> 
> > there could be RFC I am not aware of which defines this thing as
> > "standard".
> 
> There is no standard way to say "I don't want to receive email"
> (unfortunately).
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP <at> ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

	This has been proposed in the past and is consistent with
	how SRV signals no support.  FUD has always shot it down.

	Mark
--

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews <at> isc.org
_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 0 comments |
headers
SM | 10 Apr 2009 11:08

Re: "MX 0 ." standard way of saying "we don't do email" ?

At 00:57 10-04-2009, Ondřej Surý wrote:
>I have just encountered strange thing:
>
> > > > 
> <http://security.eu.debian.org>security.eu.debian.org mail is handled by 0 .
> > >
> > > I am not sure if pointing MX record to other peoples zone is good idea.
> > > And the root zone has it's own deal of DoS attack even without random
> > > MXes pointing into it.
> >
> > "MX 0 ." is the standard way of saying "we don't do email".

It's called NULL MX.  There is an expired I-D 
about it at 
http://www.ietf.org/proceedings/05aug/IDs/draft-delany-nullmx-00.txt 
The attempt to standardize the practice was 
viewed as a bad idea by the DNSEXT WG.

>Does anybody have an experience with that? How different MTAs behave?

The MX RR will be ignored.  There will be an AAAA 
DNS request and a fallback to the A RR for 
security.eu.debian.org.  Newer versions of 
sendmail and Postfix will treat that MX RR as a 
bad MX and reject the message instead of retrying.

Regards,
-sm 

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 27 comments |
headers
Edward Lewis | 10 Apr 2009 15:53
Favicon

Re: "MX 0 ." standard way of saying "we don't do email" ?

At 2:08 -0700 4/10/09, SM wrote:

>It's called NULL MX.  There is an expired I-D about it at
>http://www.ietf.org/proceedings/05aug/IDs/draft-delany-nullmx-00.txt The
>attempt to standardize the practice was viewed as a bad idea by the DNSEXT WG.

There are three messages in the namedroppers archive about this.  One 
post says "send it to DNSOP." (So, it's about time. ;) )

But the draft really isn't about DNS.  It's about SMTP.

>The MX RR will be ignored.  There will be an AAAA DNS request and a fallback
>to the A RR for security.eu.debian.org.  Newer versions of sendmail and
>Postfix will treat that MX RR as a bad MX and reject the message instead
>of retrying.

...it's about SMTP...
--

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.
_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 5 comments |
headers
Ondřej Surý | 10 Apr 2009 16:23
Picon
Favicon
Gravatar

Re: "MX 0 ." standard way of saying "we don't do email" ?

Since it looks like it is already in use (at least in some MTAs) I am willing to help
to standardize this. However I lack an experience what to do if there is no smtp
working group. Should I send it to apps area ml, or to chairs of apps area?

It seems to be overkill to start whole wg just to standardize one draft, isn't it?

Ondrej

On Fri, Apr 10, 2009 at 3:53 PM, Edward Lewis <Ed.Lewis <at> neustar.biz> wrote:
At 2:08 -0700 4/10/09, SM wrote:

It's called NULL MX.  There is an expired I-D about it at
http://www.ietf.org/proceedings/05aug/IDs/draft-delany-nullmx-00.txt The
attempt to standardize the practice was viewed as a bad idea by the DNSEXT WG.

There are three messages in the namedroppers archive about this.  One post says "send it to DNSOP." (So, it's about time. ;) )

But the draft really isn't about DNS.  It's about SMTP.


The MX RR will be ignored.  There will be an AAAA DNS request and a fallback
to the A RR for security.eu.debian.org.  Newer versions of sendmail and
Postfix will treat that MX RR as a bad MX and reject the message instead
of retrying.

...it's about SMTP...

Ondrej
--
Ondrej Sury
technicky reditel/Chief Technical Officer
-----------------------------------------
CZ.NIC, z.s.p.o.  --  .cz domain registry
Americka 23,120 00 Praha 2,Czech Republic
mailto:ondrej.sury <at> nic.cz  http://nic.cz/
sip:ondrej.sury <at> nic.cz tel:+420.222745110
mob:+420.739013699     fax:+420.222745112
-----------------------------------------


_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 0 comments |
headers
SM | 10 Apr 2009 16:56

Re: "MX 0 ." standard way of saying "we don't do email" ?

At 06:53 10-04-2009, Edward Lewis wrote:
>There are three messages in the namedroppers archive about 
>this.  One post says "send it to DNSOP." (So, it's about time. ;) )

And DNSOP said :-)

>But the draft really isn't about DNS.  It's about SMTP.

The question of NULL MX came up last year during a discussion about 
SMTP.  The SMTP question is about how to locate the target host.  As 
the proposal in the expired I-D has an operational impact on DNS 
operations, the SMTP folks will probably ask for the opinion of DNSOP.

Regards,
-sm 

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 1 comment |
headers
Edward Lewis | 10 Apr 2009 17:41
Favicon

Re: "MX 0 ." standard way of saying "we don't do email" ?

At 7:56 -0700 4/10/09, SM wrote:
>At 06:53 10-04-2009, Edward Lewis wrote:
>>There are three messages in the namedroppers archive about this.  One post
>>says "send it to DNSOP." (So, it's about time. ;) )
>
>And DNSOP said :-)

Until the post, no one brought this to the WG's attention.

(As an aside: I keep tabs on DNS, not SMTP.  If there's an issue in 
SMTP and no one brings it in front of the DNS lists, I'm not going to 
see the issue much less bring it to the DNS lists.)

>
>>But the draft really isn't about DNS.  It's about SMTP.
>
>The question of NULL MX came up last year during a discussion about SMTP.
>The SMTP question is about how to locate the target host.  As the proposal
>in the expired I-D has an operational impact on DNS operations, the SMTP
>folks will probably ask for the opinion of DNSOP.

My opinion is that "it doesn't matter to DNS protocol and 
operations." No more so than, e.g., what ENUM does with the contents 
of NAPTR records has as an impact on the DNS.  (My opinion is not 
indicative of a consensus of the working group.)
--

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.
_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 0 comments |
headers
Alfred Hönes | 10 Apr 2009 21:12
Picon

Re: "MX 0 ." standard way of saying "we don't do email" ?

<ondrej.sury at nic.cz>  wrote:

> Since it looks like it is already in use (at least in some MTAs)
> I am willing to help to standardize this.  However I lack an
> experience what to do if there is no smtp working group.  Should I
> send it to apps area ml, or to chairs of apps area?
>
> It seems to be overkill to start whole wg just to standardize one
> draft, isn't it?

There is a "Pseudo WG" with a proper mailing list, ietf-smtp at imc.org
( see http://www.imc.org/ietf-smtp/ ).

That list has been used for the development of RFC 5321 and it is
going to be used for the desired Full Standard successor of it,
and there also is a well-renowned pseudo-chair ...

I suggest to redirect the discussion to than list, as indeed
it is a matter of the SMTP client (MTA) looking up MX records,
how to deal with the outcome returned from the resolver library.

Last year, there have been long discussions on MX to {A|AAAA}
fallback, and so I expect that the idea most likely will not be
received with much enthusiasm ...

Kind regards,
  Alfred Hönes.

--

-- 

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah <at> TR-Sys.de                     |
+------------------------+--------------------------------------------+

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Permalink | Reply | 0 comments |

Gmane