Viktor Dukhovni:
> > On Sep 28, 2020, at 7:09 PM, Wietse Venema <wie...@porcupine.org> wrote:
> >
> > We could log the DNSSEC status only if DNS was 'secure', like we
> > log the connection reuse counter only when a connection was used
> > more than once.
>
> Makes sense I think, and would probably do the job. The key
> question is what to signal, there are three relevant bits to
> log (similar to delays=a/b/c/d perhaps):
>
> * Was the MX RRset signed
> * Was the MX host address RRset signed
> * Were DANE TLSA RRs found for the MX host.
>
> If all are false, log nothing, if at least one is true, then
> log the triple as some subset of
>
> dnssec=mx,addr,tlsa
>
> How does that sound?
If an SMTP connection is reused, the Postfix SMTP client would get
the DNSSEC status from the connection cache daemon. Otherwise, the
Postfix SMTP client will have to pass that info to the connection
cache daemon. This could represent the DNSSEC status as a bit mask.
The Postfix SMTP client's DNSSEC status is scattered over multiple
data structures, sometimes explicit in the form of DNS resource
records, and sometimes implicit in the form of derived information.
Just like the connection reuse count, the bounce/defer/etc. protocols
could internally propagate the DNSSEC status bitmask vis the msg_stats
structure.
Below is a quick 30-minute analysis of what is where.
Wietse
All Postfix SMTP client state is kept in an SMTP_STATE object which
owns the SMTP_ITERATOR, SMTP_TLS_POLICY, and SMTP_SESSION.
The SMTP_ITERATOR maintains DNS resource records as the SMTP client
iterates over mail server IP addresses. These records give us two
of the three items that we want to log:
typedef struct SMTP_ITERATOR {
...
struct DNS_RR *rr; /* current A or AAAA record or null */
struct DNS_RR *mx; /* MX resource record(s) or null */
...
struct SMTP_STATE *parent; /* parent linkage */
} SMTP_ITERATOR;
TLSA information exists only in the form of derived information.
One has to assume that DNSSEC was validated, otherwise the TLS_DANE
field should be null. I don't think that there will be a need for
a parent link to find the SMTP_ITERATOR or SMTP_SESSION objects.
typedef struct SMTP_TLS_POLICY {
...
TLS_DANE *dane; /* DANE TLSA digests or null */
...
/* No parent linkage */
} SMTP_TLS_POLICY;
Depending on the usage context, sometimes only SMTP_SESSION state
is avaiable, but this has a parent link, so no problem finding the
rest of what is needed to log the DNSSEC status.
typedef struct SMTP_SESSION {
...
SMTP_STATE *state; /* back link */
} SMTP_SESSION;
