Validating an SMTP server
Simson Garfinkel
simsong at acm.org
Mon Sep 7 23:19:51 CEST 2015
Viktor,
Thanks for finding this.
The problem appears to with getdns... it's returning that CNAME lookups are bogus when in fact they are not.
I have filed a ticket request with the getdns team.
https://github.com/getdnsapi/getdns-python-bindings/issues/33 <https://github.com/getdnsapi/getdns-python-bindings/issues/33>
Until this is resolved, people should not use my validator, as the results are untrustworthy with regards to CNAME records.
Simson
> On Sep 7, 2015, at 4:46 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> On Mon, Sep 07, 2015 at 08:10:38PM +0000, Viktor Dukhovni wrote:
>
>> And yet the validator claims the TLSA RRset is "bogus",
>> reports failure:
>>
>> http://ec2.simson.net/dane_check.cgi?host=openssl.org
>>
>> BOGUS DNS CNAME lookup _25._tcp.mta.openssl.org. = wildcard._dane.openssl.org.
>>
>> Something's not quite right here...
>
> The issue seems to be systemic:
>
> http://ec2.simson.net/dane_check.cgi?host=nlnetlabs.nl
>
> BOGUS DNS CNAME lookup _25._tcp.nlnetlabs.nl = 3.1.1._dane-both.nlnetlabs.nl.
>
> http://ec2.simson.net/dane_check.cgi?host=spodhuis.org
>
> BOGUS DNS CNAME lookup _25._tcp.mx.spodhuis.org. = _globnix-tlsa.spodhuis.org.
>
> http://ec2.simson.net/dane_check.cgi?host=wizmail.org
>
> BOGUS DNS CNAME lookup _25._tcp.wizmail.org. = _cert301.wizmail.org.
>
> All three are in fact fine. So the handling of TLSA CNAMEs seems
> to be broken.
>
> --
> Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150907/8fc392eb/attachment-0001.html>
More information about the dane-users
mailing list