improvement suggestion

Viktor Dukhovni ietf-dane at
Thu Jun 9 14:54:22 CEST 2016

On Thu, Jun 09, 2016 at 01:10:54PM +0200, Andreas Schulze wrote:

> we have a message to * Postfix lookup the MX ( and try to validate vi DANE.
> That fail:
>   Jun  9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for TLSA lookup error for
>   Jun  9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for TLSA lookup error for
>   Jun  9 11:55:00 mail postfix/smtp[12345]: QUEUEID: to=<postmaster at>, relay=none, delay=0.75, delays=0.13/0/0.62/0, dsn=4.7.5, status=deferred (TLSA lookup error for
> OK, I went to, (thanks for the service) but simply got " don't use DNSSEC"
> It would be helpful the validator would do the MX lookup and check the MX hosts like postfix does.

Right, Postfix 3.1 by defaults also enables "half-dane" for signed
MX hosts of unsigned domains.  The validator does not support this.

The simplest solution is to test the domain of the MX host.

    $ dig +noall +ans +nocl +nottl -t mx | sort -k3n		CNAME		MX	10		MX	20		MX	80

This is a secure delegation to a zone which contains a CNAME at
the zone apex, along with DNSKEY and SOA records, this is not legal
AFAIK.  It is surely a good way to trigger DNSSEC interoperability
problems.  Also the RRSIG lifetime is ~10000 days, that's a lot
of optimism about the security of the keys...

Amazingly, unbound seems to cope:

    $ dig +noall +ans +nocl +nottl -t mx | sort -k3n		MX	10		MX	20		MX	80

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10499
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
    ; IN        TLSA          SOA 2016053000 14400 3600 604800 856071724          RRSIG   SOA 8 2 86400 20160623000000 20160609000000 51946 uqwk6b8F8cTJBBtdT/CV2LnPQdpD1LOpV1rVROH/XLg/hA1e2ncmy8wf zIBZA0XI8yKsNbAlgvRDomOCqrjjioqOl8Gav5mfEaSofxblBjc2d1oK vBhBI5mrFyWlQpO9SiEqrYniecPs70+LcLhvwBRrh7SHH+xJ5EZ9hlcC d/E=     NSEC A RRSIG NSEC     RRSIG   NSEC 8 3 856071724 20160623000000 20160609000000 51946 kzMKDzXkFioPrEA3rgrwuDh6PwP0fFEfLRH2Z20BX1BkyGmj7YlStUyq I45VogyfZ13MjgdrXX05qWJLACpPkAiMkN5jxSFr/Ke2U/ErviHpbW4B ndGydcZq7/90N8ZTgbeRPEAEyTy8LNqPH8VPw4iGC2g4LeYNH9vw56W5 tY4=          NSEC NS CNAME SOA MX TXT RRSIG NSEC DNSKEY          RRSIG   NSEC 8 2 856071724 20160623000000 20160609000000 51946 NmVyFCOMwmp6uvOeojQKcgZiim3hcsS+I5WVXHDnsrBHXa2avpyAySPv TQwT1r/CkjpyesVSShT8P8jN2QucZ/zcB0oLysY04+rYrjBiB0nW+MlK 16DSsq3m/8dQc094FhehWFVnCnvLxoIicDZjJHviYecC4c4z4i7DT4Dp U4g=

With DNS issues like this, go to

    Cached data:

    Forced refresh:

The admin of this domain has gone far out of his way to mess it up...


More information about the dane-users mailing list