what's wrong?
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jul 14 18:30:45 CEST 2015
On Tue, Jul 14, 2015 at 01:31:16PM +0200, Andreas Schulze wrote:
> Hello,
>
> messages to *@ewnederland.nl are deferred by postfix-3.0.x here.
>
> https://dane.sys4.de/smtp/ewnederland.nl say "No TLSA records."
> in contrast:
> # posttls-finger ewnederland.nl
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.remote.meulen.nl type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.remote.meulen.nl type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to ewnederland.nl via remote.meulen.nl: TLSA lookup error for remote.meulen.nl:25
>
> as a workaround I configure "ewnederland.nl may" in smtp_tls_policy_map.
> are there better ways?
Try again, the domain is returning validated NXDOMAIN responses
for that qname now. Perhaps meulen.nl had a brief DNSSEC outage
(failed to sign the zone promptly). Right now all's well:
http://dnsviz.net/d/_25._tcp.remote.meulen.nl/dnssec/
You should not see any problems after flushing your resolver's
cache (for at least meulen.nl and is.nl).
As for "better ways", in principle, the right response is to flush
resolver caches first, to see whether any DNS problems are fixed
on the receiving end. Also check the TLSA base domain via dnsviz.net
and the email domain via https://dane.sys4.de.
If everybody agrees its broken, and you've urgent mail to send,
yes, you can change the Postfix policy to "encrypt" or "may".
Drop their postmaster a note to let them know about the problem,
and ask them to notify you when it is resolved.
You don't want to get stuck with long-term manual overrides in your
policy table.
My list of persistently broken (wrong TLSA RRset) domains is:
0x20.eu
1post.de
cutspin.com
dilruacs.nl
fonsecu.de
fromix.de
joworld.net
secufon.de
tsimnet.eu
yu.am
yuam.net
the owners of these domains did not respond to my email alerting
them to the problem.
I know of another ~90 domains with persistently inaccessible TLSA
RRsets due to misconfigured firewalls or buggy nameservers (compare
with >1500 with a working DANE configuration).
bb.b.br
enfam.jus.br
justicaeleitoral.jus.br
stj.jus.br
tre-al.jus.br
tre-ba.jus.br
tre-ce.jus.br
tre-go.jus.br
tre-ma.jus.br
tre-mg.jus.br
tre-ms.jus.br
tre-mt.jus.br
tre-pb.jus.br
tre-pe.jus.br
tre-pr.jus.br
tre-rn.jus.br
tre-rs.jus.br
tre-sp.jus.br
ea5dfv.cat
autorelaxed.com
convoglio.com
edsi-tech.com
gleez.com
nmihi.com
pilotnordic.com
1000listku.cz
ceskearchivy.cz
fermontplus.cz
fosfa.cz
linuxdays.cz
palat.cz
pozorkliste.cz
thosting.cz
vetclinic.cz
vkh.cz
pe82.de
truman.edu
64bitswebhosting.eu
exceed-it.eu
studienportal.eu
kepa.fi
africanamericanhistorymonth.gov
americaslibrary.gov
asianpacificheritage.gov
congress.gov
copyright.gov
crs.gov
digitalpreservation.gov
digitizationguidelines.gov
lis.gov
nativeamericanheritagemonth.gov
read.gov
techtrack.gov
womenshistorymonth.gov
dnet.net.id
asis.io
192.jp
dw.centcom.mil
pasla.net
kas.eabo.nl
famklijsen.nl
freshned.nl
gmahengelo.nl
h0st.nl
lewins.nl
lgms.nl
maartenburie.nl
main.mc-creative.nl
tvk.nl
vrijeuitgevers.nl
xnyhps.nl
zenger.nl
flashmedia.no
gustavsenas.no
jfcns.net.nz
patriotguard.org
alltforhundar.se
ap2.se
cloud.ekenberg.se
fokau.se
ludl.se
manc.se
minhyresvard.se
nllplus.se
ostebro.se
rafel.se
statskontoret.se
mof.gov.tw
--
Viktor.
More information about the dane-users
mailing list