improvement suggestion

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jun 9 14:54:22 CEST 2016


On Thu, Jun 09, 2016 at 01:10:54PM +0200, Andreas Schulze wrote:

> we have a message to *@transfennica.com. Postfix lookup the MX ( mail.spliethoff.nl) and try to validate vi DANE.
> That fail:
>   Jun  9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for transfennica.com/mail.spliethoff.nl: TLSA lookup error for mail.spliethoff.nl:25
>   Jun  9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for transfennica.com/smtp.spliethoff.nl: TLSA lookup error for smtp.spliethoff.nl:25
>   Jun  9 11:55:00 mail postfix/smtp[12345]: QUEUEID: to=<postmaster at transfennica.com>, relay=none, delay=0.75, delays=0.13/0/0.62/0, dsn=4.7.5, status=deferred (TLSA lookup error for smtp.spliethoff.nl:25)
> 
> OK, I went to dane.sys4.de, (thanks for the service) but simply got "transfennica.com don't use DNSSEC"
> It would be helpful the validator would do the MX lookup and check the MX hosts like postfix does.

Right, Postfix 3.1 by defaults also enables "half-dane" for signed
MX hosts of unsigned domains.  The validator does not support this.

The simplest solution is to test the domain of the MX host.

    $ dig +noall +ans +nocl +nottl -t mx spliethoff.nl | sort -k3n
    spliethoff.nl.		CNAME	spliethoff.com.
    spliethoff.com.		MX	10 mail.spliethoff.nl.
    spliethoff.com.		MX	20 fw.spliethoff.nl.
    spliethoff.com.		MX	80 smtp.spliethoff.nl.

This is a secure delegation to a zone which contains a CNAME at
the zone apex, along with DNSKEY and SOA records, this is not legal
AFAIK.  It is surely a good way to trigger DNSSEC interoperability
problems.  Also the RRSIG lifetime is ~10000 days, that's a lot
of optimism about the security of the keys...

Amazingly, unbound seems to cope:

    $ dig +noall +ans +nocl +nottl -t mx spliethoff.com | sort -k3n
    spliethoff.com.		MX	10 mail.spliethoff.nl.
    spliethoff.com.		MX	20 fw.spliethoff.nl.
    spliethoff.com.		MX	80 smtp.spliethoff.nl.

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10499
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
    ;_25._tcp.mail.spliethoff.nl. IN        TLSA
    spliethoff.nl.          SOA     ns01.is.nl. postmaster.is.nl. 2016053000 14400 3600 604800 856071724
    spliethoff.nl.          RRSIG   SOA 8 2 86400 20160623000000 20160609000000 51946 spliethoff.nl. uqwk6b8F8cTJBBtdT/CV2LnPQdpD1LOpV1rVROH/XLg/hA1e2ncmy8wf zIBZA0XI8yKsNbAlgvRDomOCqrjjioqOl8Gav5mfEaSofxblBjc2d1oK vBhBI5mrFyWlQpO9SiEqrYniecPs70+LcLhvwBRrh7SHH+xJ5EZ9hlcC d/E=
    mail.spliethoff.nl.     NSEC    mijn.spliethoff.nl. A RRSIG NSEC
    mail.spliethoff.nl.     RRSIG   NSEC 8 3 856071724 20160623000000 20160609000000 51946 spliethoff.nl. kzMKDzXkFioPrEA3rgrwuDh6PwP0fFEfLRH2Z20BX1BkyGmj7YlStUyq I45VogyfZ13MjgdrXX05qWJLACpPkAiMkN5jxSFr/Ke2U/ErviHpbW4B ndGydcZq7/90N8ZTgbeRPEAEyTy8LNqPH8VPw4iGC2g4LeYNH9vw56W5 tY4=
    spliethoff.nl.          NSEC    _autodiscover._tcp.spliethoff.nl. NS CNAME SOA MX TXT RRSIG NSEC DNSKEY
    spliethoff.nl.          RRSIG   NSEC 8 2 856071724 20160623000000 20160609000000 51946 spliethoff.nl. NmVyFCOMwmp6uvOeojQKcgZiim3hcsS+I5WVXHDnsrBHXa2avpyAySPv TQwT1r/CkjpyesVSShT8P8jN2QucZ/zcB0oLysY04+rYrjBiB0nW+MlK 16DSsq3m/8dQc094FhehWFVnCnvLxoIicDZjJHviYecC4c4z4i7DT4Dp U4g=

With DNS issues like this, go to dnsviz.net:

    Cached data:

	http://dnsviz.net/d/_25._tcp.mail.spliethoff.nl/dnssec/

    Forced refresh:

	http://dnsviz.net/d/_25._tcp.mail.spliethoff.nl/analyze/

The admin of this domain has gone far out of his way to mess it up...

-- 
	Viktor.


More information about the dane-users mailing list