[ Cc: to the dane WG list, in the hope that some here might be
able to assist, if they have direct contacts at the provider.
Please don't Cc: any follow-up list discussion to the ISP contact
address. This is the final report! Just 5 DNS hosting providers
appear to account for all the non-sporadic failures of TLSA
lookups. ]
Many ns0.nl domains emit incorrect denial of existence NSEC3 records
for DANE TLSA queries. This will cause email delivery problems to
your customers' domains if not resolved by fixing the nameserver
software. My (surely incomplete) list of affected domains is below.
The newly updated (thanks Casey!) dnsviz.net site now gives a very
clear picture of the problem (just "mouse over" the NSEC3 record
box). The NODATA response is not accompanied by any NSEC3 records
that match the hash of the Qname, rather the NSEC3 records prove
NXDOMAIN, but the RCODE is incorrectly NOERROR:
http://dnsviz.net/d/_25._tcp.mail.photoshoplayerstyle.com/dnssec/?rr=52&a=all&ds=all&doe=on&ta=.&tk=
The closest encloser is "mail.photoshoplayerstyle.com", and the
NSEC3 records return exclude the presence of "*mail.photoshoplayerstyle.com":
$ dig +cd +dnssec -t tlsa _25._tcp.mail.photoshoplayerstyle.com. +nocl
+nottl |
pcregrep 'status:|^;; flags|\.\s+NSEC'
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43917
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
s65rgcpqslu0ftooro2f1su7nd7ve67b.photoshoplayerstyle.com. NSEC3 1 0 100
57AE8C5E617F9173 40EEHCT3600L9LLE0HTHM25UKF4AKVPJ A NS SOA MX RRSIG DNSKEY
NSEC3PARAM
40eehct3600l9lle0hthm25ukf4akvpj.photoshoplayerstyle.com. NSEC3 1 0 100
57AE8C5E617F9173 5DKJRL27ESVU3IV4EJR83HBJPPURER2K A RRSIG
qn0r3962bhci2jsktqa29urqefoql1jk.photoshoplayerstyle.com. NSEC3 1 0 100
57AE8C5E617F9173 S65RGCPQSLU0FTOORO2F1SU7ND7VE67B A RRSIG
$ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173
_25._tcp.mail.photoshoplayerstyle.com
dr1og56r60uhgn6l1o81nmr1q71inas6.
$ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173
_tcp.mail.photoshoplayerstyle.com
3launk5llo6614jm12c5si3fbq6td7uh.
$ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173 mail.photoshoplayerstyle.com
40eehct3600l9lle0hthm25ukf4akvpj.
$ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173 '*mail.photoshoplayerstyle.com'
4bkj4e34gpijvjbdfhn6t6urpj4gsb85.
$ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173 '*.photoshoplayerstyle.com'
qn0r3962bhci2jsktqa29urqefoql1jk.
They do however prove the wildcard "*.photoshoplayerstyle.com" A
record, so it seems this is erroneasly reported here despite the
fact that mail.photoshoplayerstyle.com exists.
Queries for the TLSA records of all the MX hosts below similarly
fail validation. What and when might be done to fully address this
issue?
Domain _25._tcp.mx-host. IN TLSA ?
--------------------------------- ---------------------------
photoshoplayerstyle.com. _25._tcp.mail.photoshoplayerstyle.com. IN
TLSA ?
badpunt.nl. _25._tcp.mail.badpunt.nl. IN TLSA ?
emij.nl. _25._tcp.emijx1.emij.nl. IN TLSA ?
getinteractive.nl. _25._tcp.x9.getinteractive.nl. IN TLSA ?
go4camp.nl. _25._tcp.mail.go4camp.nl. IN TLSA ?
imageserve.nl. _25._tcp.mail.imageserve.nl. IN TLSA ?
internet123.nl. _25._tcp.mail.internet123.nl. IN TLSA ?
orionvolleybal.nl. _25._tcp.mail.orionvolleybal.nl. IN TLSA ?
sollicitatiedokter.nl. _25._tcp.mail.sollicitatiedokter.nl. IN TLSA
?
wpnet.nl. _25._tcp.mail01.wpnet.nl. IN TLSA ?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
