Validating an SMTP server

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Sep 7 22:10:38 CEST 2015


On Mon, Sep 07, 2015 at 03:47:27PM -0400, Simson Garfinkel wrote:

> Thanks. I've fixed the sequencing issue.

There may also be some DNSSEC issues.

The DNS for the TLSA records of openssl.org is fine, modulo a minor
inconsistency of NS RRs at the delegation from .org vs. the zone
apex.

    http://dnsviz.net/d/_25._tcp.mta.openssl.org/dnssec/

And yet the validator claims the TLSA RRset is "bogus",
reports failure:

    http://ec2.simson.net/dane_check.cgi?host=openssl.org

	BOGUS DNS CNAME lookup _25._tcp.mta.openssl.org. = wildcard._dane.openssl.org.

Something's not quite right here...

-- 
	Viktor.


More information about the dane-users mailing list