On Thu, Oct 16, 2014 at 4:35 AM, Bernhard Schmidt <[email protected]> wrote:
> we have recently enabled outbound TLSA/DANE on our Postfix MTAs and have > come across a number of validation errors. These have the following in > common: > > - The zone where the mailserver (right side of the MX record of the > target domain) resides in is signed > - there is a wildcard record on the zone level > - lookup of mailserver A/AAAA works fine and is authenticated > - lookup of _25._tcp.mailserver TLSA leads to SERVFAIL on our resolver > (BIND 9.9.5), Google DNS and both DNS-OARC resolvers > > Examples: > > _25._tcp.vdlc.nl > _25._tcp.mail.plexx.eu > _25._tcp.relay01.tt-mb.nl > _25._tcp.mail.cdv.cz > > Sometimes DNSVIZ shows errors in the NSEC chaining (i.e. on the tt-mb.nl > zone), but for example the mail.cdv.cz one looks fine. Yet I cannot > validate the response. > DNSViz was incorrectly showing the NSEC covering as valid for some of the above wildcards. It was checking that expanded wildcard name did not exist, but was not checking that the wildcard expansion was valid. It has been corrected, e.g.,: http://dnsviz.net/d/_25._tcp.vdlc.nl/VEAZDw/dnssec/ http://dnsviz.net/d/_25._tcp.mail.cdv.cz/VEAZdw/dnssec/ Cheers, Casey
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
