The correct answer is NXDOMAIN based on the NSEC record which says there is no records between _tcp.vdlc.nl and _autodiscover._tcp.vdlc.nl. i.e. there is no wildcard record at *._tcp.vdlc.nl.
The problem is a wildcard processing server error. It is generating the wrong response code. It is failing to account for the existence of _tcp.vdlc.nl. ; <<>> DiG 9.11.0pre-alpha <<>> +cd +dnssec tlsa _25._tcp.vdlc.nl ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31073 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;_25._tcp.vdlc.nl. IN TLSA ;; AUTHORITY SECTION: *.vdlc.nl. 866 IN RRSIG NSEC 8 2 900 20141030000000 20141009000000 33075 vdlc.nl. 6bxF19YZNEA+HNGbA3RfbM1n8nsNwAthx7P4HQ2TEGSG/0hUTRCG+/ij feYNfhePWVgYVxaxlfablhkNXZhmcnUt+X/BAlh3LVdcY6HAjEgnXBqa lqTSiAzkbkJczsy/vw2f0e//RseFTPJ6G0Y/KTnDP9Sn9Fya4OzjhgkY fTk= *.vdlc.nl. 866 IN NSEC _autodiscover._tcp.vdlc.nl. A RRSIG NSEC vdlc.nl. 866 IN SOA ns1.hosting2go.nl. postmaster.vdlc.nl. 1378119762 10800 3600 604800 900 vdlc.nl. 866 IN RRSIG SOA 8 2 86400 20141030000000 20141009000000 33075 vdlc.nl. 1V5n1+mW6onYYsPyE9VMrziFoxXVmdp1Me2TaO2mJ8do3XDtesc6FJ3L cCXNgulV7p2hHZb8BPrt0xnnDlkyqK1qgRPBVzvLLrL22trRn9SOlzjz Zgm/OWgsciQNrliQAeacaZzXxGRyMbsa/H7HGAgEzm8LcqdqHfWPuhr0 CL4= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 16 21:42:19 EST 2014 ;; MSG SIZE rcvd: 491 Mark In message <[email protected]>, Bernhard Schmidt writes: > Hi, > > we have recently enabled outbound TLSA/DANE on our Postfix MTAs and have > come across a number of validation errors. These have the following in > common: > > - The zone where the mailserver (right side of the MX record of the > target domain) resides in is signed > - there is a wildcard record on the zone level > - lookup of mailserver A/AAAA works fine and is authenticated > - lookup of _25._tcp.mailserver TLSA leads to SERVFAIL on our resolver > (BIND 9.9.5), Google DNS and both DNS-OARC resolvers > > Examples: > > _25._tcp.vdlc.nl > _25._tcp.mail.plexx.eu > _25._tcp.relay01.tt-mb.nl > _25._tcp.mail.cdv.cz > > Sometimes DNSVIZ shows errors in the NSEC chaining (i.e. on the tt-mb.nl > zone), but for example the mail.cdv.cz one looks fine. Yet I cannot > validate the response. > > Can anyone shed some light on this issue? Is there a signing error or a > validation error? If there is a signing error, is this a bug of some > commonly used software? > > Thanks, > Bernhard > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
