posttls-finver vs. dane.sys4.de

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Nov 2 22:19:52 CET 2016


On Wed, Nov 02, 2016 at 09:52:58PM +0100, Andreas Schulze wrote:

> we found messages to "sushi-circle.de" stay in our MTA facing outside world:
> "status=deferred (TLSA lookup error for login.enterprise-email.com:25)"

That domain has broken DNS servers, as can be seen at:

    http://dnsviz.net/d/_25._tcp.login.enterprise-email.com/dnssec/

The issue is that it breaks query minimization.  Queries for

    _tcp.login.enterprise-email.com

return a "bogus" NXDOMAIN (perhaps a DJBDNS server with rather
incomplete DNSSEC support or a very out of date PowerDNS), while
queries for _25._tcp return TLSA records...

Whether any particular client detects this or not rather depends
on whether the client's resolver enables query minimization.

The reason TLSA records are in play for this domain, is that while
the domain's zone is not DNSSEC signed, the MX host's domain is,
and so by default, its TLSA records are still used with Postfix
3.1 and later:

    http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy

The dane.sys4.de code does not inspect TLSA records for domains
with an insecure MX RRset.  You can directly test the MX host
to check.  Because dane.sys4.de is not doing query minimization,
everything checks out.

    https://dane.sys4.de/smtp/login.enterprise-email.com

> I guess some piece of software is wrong...

No, rather the world is complicated, and not everything uses the
same set of configuration options and runs into the same interop
issues.

Query minimization provides some additional privacy, but it has
costs in both latency and reliability (runs into more bugs).  It
is suitable for personal machines, but may not yet be wise for
servers.

FWIW, The resolver I'm using at the moment is not configured for
query minimization, and so:

    $ posttls-finger -c -l dane sushi-circle.de
    posttls-finger: using DANE RR: _25._tcp.login.enterprise-email.com IN TLSA 3 0 1 DC:70:0D:9F:49:F9:D2:D0:6F:86:18:46:86:86:B3:D7:A8:DC:53:4A:CB:D5:F1:51:39:5D:4A:CF:AD:00:56:19
    posttls-finger: MX RRset insecure: log verified as trusted
    posttls-finger: login.enterprise-email.com[95.128.200.159]:25: depth=0 matched end entity certificate sha256 digest DC:70:0D:9F:49:F9:D2:D0:6F:86:18:46:86:86:B3:D7:A8:DC:53:4A:CB:D5:F1:51:39:5D:4A:CF:AD:00:56:19
    posttls-finger: login.enterprise-email.com[95.128.200.159]:25: Matched subjectAltName: login.enterprise-email.com
    posttls-finger: login.enterprise-email.com[95.128.200.159]:25: subjectAltName: www.login.enterprise-email.com
    posttls-finger: login.enterprise-email.com[95.128.200.159]:25 CommonName login.enterprise-email.com
    posttls-finger: login.enterprise-email.com[95.128.200.159]:25: subject_CN=login.enterprise-email.com, issuer_CN=COMODO RSA Domain Validation Secure Server CA, fingerprint=38:AC:5C:74:90:66:BA:FE:45:B1:09:31:21:96:F7:C3:55:30:E7:9C, pkey_fingerprint=A0:11:EB:11:CD:BB:E3:A1:C7:F8:B9:AA:A0:E8:02:6B:47:1A:69:28
    posttls-finger: Trusted TLS connection established to login.enterprise-email.com[95.128.200.159]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

-- 
	Viktor.


More information about the dane-users mailing list