Re: DANE and DLV

2015-01-07 Thread John Allen
On 07/01/2015 3:02 PM, Viktor Dukhovni wrote: On Wed, Jan 07, 2015 at 02:44:11PM -0500, James B. Byrne wrote: This is exactly our situation. We presently use DLV. I can get our upstream registrar to manually add DS RRs for our .com, .net; and I believe our .org tlds. But they will not do so f

Re: DANE and DLV

2015-01-07 Thread Viktor Dukhovni
On Wed, Jan 07, 2015 at 02:29:51PM -0600, John Hascall wrote: > On what what basis would we decide between a single TLSA record for the MX > vs. individual TLSA records for each actual host? Frankly, I don't see much point in load-balancers in front of inbound port 25 MX hosts. So I'd publish a

Re: DANE and DLV

2015-01-07 Thread John Hascall
Thanks. very helpful. One more question, though. You say: With All of the MX hosts having the same private key and certificate: *(this is true for us)* ... Or else multiple such TLSA RRs one per real MX host behind the load-balancer, if the number of back-end hosts is reasonably small. *(this n

Re: DANE and DLV

2015-01-07 Thread Viktor Dukhovni
On Wed, Jan 07, 2015 at 02:07:25PM -0600, John Hascall wrote: > Assume I have a domain with DNSSEC and inbound mail servers behind a > (load-balanced) MX which support TLS. With All of the MX hosts having the same private key and certificate: > If I've been following along correctly, if I publis

Re: DANE and DLV

2015-01-07 Thread John Hascall
I've been watching this thread with interest. Assume I have a domain with DNSSEC and inbound mail servers behind a (load-balanced) MX which support TLS. If I've been following along correctly, if I publish a DNS record of the form: _25._tcp.*mx.mydomain.org *. IN TLSA 3

Re: DANE and DLV

2015-01-07 Thread Viktor Dukhovni
On Wed, Jan 07, 2015 at 02:44:11PM -0500, James B. Byrne wrote: > This is exactly our situation. We presently use DLV. I can get our > upstream registrar to manually add DS RRs for our .com, .net; and I > believe our .org tlds. But they will not do so for our principal tlds > that belong to .ca.

Re: DANE and DLV

2015-01-07 Thread James B. Byrne
On Wed, January 7, 2015 13:54, Jean Bruenn wrote: > > On 07/01/15 02:07, Jim Reid wrote: >> BTW, it's particularly unwise to adopt DLV to kludge around TLD >> registries or registrars who can't/won't support DNSSEC properly. >> This was the OP's rationale for going down that path. IMO the >> OP sh

Re: DANE and DLV

2015-01-07 Thread Viktor Dukhovni
On Wed, Jan 07, 2015 at 07:54:03PM +0100, Jean Bruenn wrote: > I am > sure that I'll be able to find a registrar in germany with the > same prices, a similar realtime API and dnssec support. > Still I would not like to switch after 10+ years without any > trouble, to another registrar - call me la

Re: DANE and DLV

2015-01-07 Thread Jean Bruenn
On 07/01/15 20:09, Thomas Leuxner wrote: * Jean Bruenn 2015.01.07 19:54: I don't want to go offtopic but there seem to be still "many" registrars which do not support dnssec. I for example asked three different registrars in germany and got the same answer - they're working on it, due to the

Re: DANE and DLV

2015-01-07 Thread Thomas Leuxner
* Jean Bruenn 2015.01.07 19:54: > I don't want to go offtopic but there seem to be still "many" > registrars which do not support dnssec. I for example asked > three different registrars in germany and got the same > answer - they're working on it, due to the little demand > they haven't implemen

Re: DANE and DLV

2015-01-07 Thread Viktor Dukhovni
On Wed, Jan 07, 2015 at 01:47:06PM -0500, John wrote: > >I am not sure I understand this. Why are you linking the two? > >I am not linking anything. > > I am not sure what TLSA updates has to do with key rotation, other than they > might be a good idea to do them at the same time. May be its my od

Re: DANE and DLV

2015-01-07 Thread Jean Bruenn
On 07/01/15 02:01, Viktor Dukhovni wrote: Of the approximately 800 domains that I found to have published DANE TLSA records for SMTP to date, too many had various problems. We'll announce a testing site soon that will help detect problems early, but it won't prevent them if the site's administr

Re: DANE and DLV

2015-01-07 Thread Jean Bruenn
On 07/01/15 02:07, Jim Reid wrote: BTW, it's particularly unwise to adopt DLV to kludge around TLD registries or registrars who can't/won't support DNSSEC properly. This was the OP's rationale for going down that path. IMO the OP should switch to another registrar and let the slacker registrar

Re: DANE and DLV

2015-01-07 Thread John
On 1/7/2015 1:22 PM, Viktor Dukhovni wrote: I am not sure I understand this. Why are you linking the two? I am not linking anything. I am not sure what TLSA updates has to do with key rotation, other than they might be a good idea to do them at the same time. May be its my odd ball way of readi

Re: DANE and DLV

2015-01-07 Thread Viktor Dukhovni
On Wed, Jan 07, 2015 at 01:00:10PM -0500, John wrote: > I assume this list is "best" to "worst" Roughly speaking yes, though none are a disaster. Pick usage "3" in most cases, but if you known what you're doing, want to operate an internal CA and have lots of hosts to secure, usage 2 might be ri

Re: DANE and DLV

2015-01-07 Thread John
I assume this list is "best" to "worst" ; Use "3 1 1", the other three are OK, but "3 1 1" is better. _25._tcp.mx.example.com. IN TLSA 3 1 1 _25._tcp.mx.example.com. IN TLSA 3 0 1 _25._tcp.mx.example.com. IN TLSA 3 1 2 _25._tcp.mx.example.com. IN TLSA 3

Re: DANE and DLV

2015-01-06 Thread Jim Reid
On 6 Jan 2015, at 23:18, Viktor Dukhovni wrote: > My email server, for example, specifically does not support the ISC DLV. Yay! > With the root zone and most TLDs signed, I don't think it makes sense to use > it anymore. +1000. DLV has always been a *remarkably* bad idea. It actually hinder

Re: DANE and DLV

2015-01-06 Thread Viktor Dukhovni
On Wed, Jan 07, 2015 at 12:45:53AM +0100, Jean Bruenn wrote: > What happens if I send an email to your Mailserver if there is > no DS-record for my domain in eu (which is why I use dlv - I added > the dnskey of a .eu testdomain there) the same as explained > below (no mail loss)? DANE plays no r

Re: DANE and DLV

2015-01-06 Thread Jean Bruenn
> Am 07.01.2015 um 00:18 schrieb Viktor Dukhovni : > >> On Tue, Jan 06, 2015 at 11:36:08PM +0100, Jean Bruenn wrote: >> >> I'd like to use DANE but since my registrar has no support for DNSSEC >> stuff yet (they're working on that) I am using DLV (dlv.isc.org) for now. >> Now I'd like to use th

Re: DANE and DLV

2015-01-06 Thread Viktor Dukhovni
On Tue, Jan 06, 2015 at 11:36:08PM +0100, Jean Bruenn wrote: > I'd like to use DANE but since my registrar has no support for DNSSEC > stuff yet (they're working on that) I am using DLV (dlv.isc.org) for now. > Now I'd like to use that with Postfix and for that to work I assume that > other sites

DANE and DLV

2015-01-06 Thread Jean Bruenn
Hello, I have a few questions not directly related to Postfix and hope it is fine to ask here. I'd like to use DANE but since my registrar has no support for DNSSEC stuff yet (they're working on that) I am using DLV (dlv.isc.org) for now. Now I'd like to use that with Postfix and for that to wor