test message

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

test message

Thomas Markwalder
User states list isn't working.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: test message

/dev/rob0
On Wed, Apr 11, 2018 at 08:58:56AM -0400, Thomas Markwalder wrote:
> User states list isn't working.

I think what wasn't working was https://lists.isc.org/ , because the
SSL certificate was expired.  This has since been fixed.  I posted
about that to the BIND list last night, and DANE (RFC 6698) did not
fail,

Apr 11 00:12:28 harrier postfix/smtp[1273]: Verified TLS connection
established to mx.pao1.isc.org[149.20.64.53]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

But then, AFAIK DANE only cares about the RRSIG on the TLSA record,
not about a certificate's own expiration, so a DANE connection can
still be "Verified" while the certificate is expired.

If this doesn't arrive on the list right away it might mean that
ISC's TLSA records were not updated yet for the new certificates. :)
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: test message

Bjørn Mork
/dev/rob0 <[hidden email]> writes:

> If this doesn't arrive on the list right away it might mean that
> ISC's TLSA records were not updated yet for the new certificates. :)

Does not look like it to me:

bjorn@canardo:~$ tlsa -dv lists.isc.org
Received the following record for name _443._tcp.lists.isc.org.:
        Usage:                          3 (End-Entity [DANE-EE])
        Selector:                       0 (Certificate [Cert])
        Matching Type:                  1 (SHA-256)
        Certificate for Association:    9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
Got the following IP: 149.20.1.60
Did set servername lists.isc.org
FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (149.20.1.60)


They should probably consider the good advice found here:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022

and combine that with Viktors recommendations given here:
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html



Bjørn
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: test message

/dev/rob0
On Wed, Apr 11, 2018 at 10:15:12PM +0200, Bjørn Mork wrote:
> /dev/rob0 <[hidden email]> writes:
>
> > If this doesn't arrive on the list right away it might mean that

(It did arrive and was distributed right away.)

> > ISC's TLSA records were not updated yet for the new certificates. :)
>
> Does not look like it to me:
>
> bjorn@canardo:~$ tlsa -dv lists.isc.org

That's the wrong hostname for mail.  Check the MX for lists.isc.org.

$ dig lists.isc.org. mx +noall +answer

; <<>> DiG 9.11.26 <<>> lists.isc.org. mx +noall +answer
;; global options: +cmd
lists.isc.org.          7200    IN      MX      10 mx.ams1.isc.org.
lists.isc.org.          7200    IN      MX      10 mx.pao1.isc.org.

$ for Site in pao ams ; do dig _25._tcp.mx.${Site}1.isc.org. tlsa +noall +answer ; done

; <<>> DiG 9.11.27 <<>> _25._tcp.mx.pao1.isc.org. tlsa +noall +answer
;; global options: +cmd
_25._tcp.mx.pao1.isc.org. 3600  IN      TLSA    3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0

; <<>> DiG 9.11.28 <<>> _25._tcp.mx.ams1.isc.org. tlsa +noall +answer
;; global options: +cmd
_25._tcp.mx.ams1.isc.org. 3600  IN      TLSA    3 0 1 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916

> Received the following record for name _443._tcp.lists.isc.org.:
>         Usage:                          3 (End-Entity [DANE-EE])
>         Selector:                       0 (Certificate [Cert])
>         Matching Type:                  1 (SHA-256)
>         Certificate for Association:    9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
> This record is valid (well-formed).
> Attempting to verify the record with the TLS service...
> Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
> Got the following IP: 149.20.1.60
> Did set servername lists.isc.org
> FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (149.20.1.60)

We're drifting off topic here, but I thought DANE hadn't really made
it to HTTPS yet?  This appears wrong, but does it matter?  DANE is in
use for SMTP.

> They should probably consider the good advice found here:
> https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
>
> and combine that with Viktors recommendations given here:
> https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html

Of course.  In addition I'd suggest that LE certificates, while nice
for HTTPS, have no place in port 25 SMTP.  465/587 submission, yes,
because it will help with MUAs, but for mail exchange, I use my own
private CA.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: test message

Bjørn Mork
/dev/rob0 <[hidden email]> writes:

> That's the wrong hostname for mail.  Check the MX for lists.isc.org.
>
> $ dig lists.isc.org. mx +noall +answer
>
> ; <<>> DiG 9.11.26 <<>> lists.isc.org. mx +noall +answer
> ;; global options: +cmd
> lists.isc.org.          7200    IN      MX      10 mx.ams1.isc.org.
> lists.isc.org.          7200    IN      MX      10 mx.pao1.isc.org.
>
> $ for Site in pao ams ; do dig _25._tcp.mx.${Site}1.isc.org. tlsa +noall +answer ; done
>
> ; <<>> DiG 9.11.27 <<>> _25._tcp.mx.pao1.isc.org. tlsa +noall +answer
> ;; global options: +cmd
> _25._tcp.mx.pao1.isc.org. 3600  IN      TLSA    3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0
>
> ; <<>> DiG 9.11.28 <<>> _25._tcp.mx.ams1.isc.org. tlsa +noall +answer
> ;; global options: +cmd
> _25._tcp.mx.ams1.isc.org. 3600  IN      TLSA    3 0 1 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916


Yes, mx.pao1.isc.org is fine as shown by https://dane.sys4.de/smtp/lists.isc.org

mx.ams1.isc.org does not answer on port 25 so it's hard to tell if the
certificate is OK.


>> Received the following record for name _443._tcp.lists.isc.org.:
>>         Usage:                          3 (End-Entity [DANE-EE])
>>         Selector:                       0 (Certificate [Cert])
>>         Matching Type:                  1 (SHA-256)
>>         Certificate for Association:    9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
>> This record is valid (well-formed).
>> Attempting to verify the record with the TLS service...
>> Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
>> Got the following IP: 149.20.1.60
>> Did set servername lists.isc.org
>> FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (149.20.1.60)
>
> We're drifting off topic here, but I thought DANE hadn't really made
> it to HTTPS yet?  This appears wrong, but does it matter?

They have chosen to publish a TLSA record.  Of course it matters.  If it
didn't, then they surely wouldn't have gone through the extra hassle of
maintaining yet another TLSA record.  Would they?

I guess there is still too much money in the https business for full
DANE support in browsers.  You can use the excellent plugin from
https://www.dnssec-validator.cz/ to get a visual hint .  But it doesn't
replace a DANE validating browser.  The plugin cannot override the
certificate expiration checks built into the browsers, and it does not
ask any questions even if the TLSA validation fails.

> DANE is in use for SMTP.

Maybe. I'm not convinced there are too many strictly validating MTAs out
there...

>> They should probably consider the good advice found here:
>> https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
>>
>> and combine that with Viktors recommendations given here:
>> https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
>
> Of course.  In addition I'd suggest that LE certificates, while nice
> for HTTPS, have no place in port 25 SMTP.  465/587 submission, yes,
> because it will help with MUAs, but for mail exchange, I use my own
> private CA.

I would have agreed a couple of years ago. Of course you *can* use a
private CA for smtp without any issues, and there might be advantages
like being able to relay based on the CA. But LE has made it simpler to
use their CA than maintaining your own.  There is really no reason why
you shouldn't take advantage of that for smtp too.


Bjørn
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users