> sending recent mail via my local mail server > > postfix 3.7.2 > > to > > cas...@state.gov > > using local resolver > > unbound 1.16.2 > > i see in logs lots of these warnings/errors, > > 2022-10-05T17:30:13.602980-04:00 mx03 postfix/smtp-out-ext/smtp[8484]: > warning: TLS policy lookup for state.gov/christopher-ew.state.gov: > TLSA lookup error for christopher-ew.state.gov:25 > 2022-10-05T17:30:14.353543-04:00 mx03 postfix/smtp-out-ext/smtp[8484]: > warning: DANE TLSA lookup problem: Host or domain name not found. Name > service error for name=_25._tcp.stimson.state.gov type=TLSA: Host not > found, try again
Pasting _25._tcp.christopher-ew.state.gov and _25._tcp.stimson.state.gov into https://dnsviz.net/ indicates 1) there is nothing basically wrong with the publication setup for these zones 2) there are a few uses of SHA-1 (no longer recommended), but there's also sha-256 based DS records around, so those should be preferred 3) the non-existence of these names is apparently properly DNSSEC-signed I'm not seeing a SERVFAIL for the former when I query my local unbound server running 1.16.0: % dig @my-local-unbound-resolver _25._tcp.christopher-ew.state.gov. tlsa ; <<>> DiG 9.16.20 <<>> @my-local-unbound-resolver _25._tcp.christopher-ew.state.gov. tlsa ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37754 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;_25._tcp.christopher-ew.state.gov. IN TLSA ;; AUTHORITY SECTION: state.gov. 900 IN SOA o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900 ;; Query time: 63 msec ;; SERVER: 2001:700:0:ff00::2#53(2001:700:0:ff00::2) ;; WHEN: Thu Oct 06 18:52:37 CEST 2022 ;; MSG SIZE rcvd: 137 and this is properly DNSSEC-validated by my unbound recursor, ref. the "ad" flag (there's no need to bundle a lot of other query flags). NXDOMAIN means "the queried-for name does not exist at all in the naming tree" (i.e. independent of the queried-for type), and also that there is nothing "below" this name in the naming tree. > reading > > Problem with TLSA & CNAME Wildcard > > https://mailing.postfix.users.narkive.com/VGejQATw/problem-with-tlsa-cname-wildcard > > suggests a resolver problem I cannot find a CNAME record on either of these names: _25._tcp.christopher-ew.state.gov. *._tcp.christopher-ew.state.gov. *.christopher-ew.state.gov. *.state.gov. (by directly querying one of the publishing NSes for state.gov) > any hints as to cause/cure for this failing dane/tlsa query? or > where/how to dig further? The queried-for names do not exist? Regards, - HÃ¥vard
