Hi, we have recently enabled outbound TLSA/DANE on our Postfix MTAs and have come across a number of validation errors. These have the following in common:
- The zone where the mailserver (right side of the MX record of the target domain) resides in is signed - there is a wildcard record on the zone level - lookup of mailserver A/AAAA works fine and is authenticated - lookup of _25._tcp.mailserver TLSA leads to SERVFAIL on our resolver (BIND 9.9.5), Google DNS and both DNS-OARC resolvers Examples: _25._tcp.vdlc.nl _25._tcp.mail.plexx.eu _25._tcp.relay01.tt-mb.nl _25._tcp.mail.cdv.cz Sometimes DNSVIZ shows errors in the NSEC chaining (i.e. on the tt-mb.nl zone), but for example the mail.cdv.cz one looks fine. Yet I cannot validate the response. Can anyone shed some light on this issue? Is there a signing error or a validation error? If there is a signing error, is this a bug of some commonly used software? Thanks, Bernhard _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
