posttls-finver vs.

Viktor Dukhovni ietf-dane at
Wed Nov 2 22:19:52 CET 2016

On Wed, Nov 02, 2016 at 09:52:58PM +0100, Andreas Schulze wrote:

> we found messages to "" stay in our MTA facing outside world:
> "status=deferred (TLSA lookup error for"

That domain has broken DNS servers, as can be seen at:

The issue is that it breaks query minimization.  Queries for

return a "bogus" NXDOMAIN (perhaps a DJBDNS server with rather
incomplete DNSSEC support or a very out of date PowerDNS), while
queries for _25._tcp return TLSA records...

Whether any particular client detects this or not rather depends
on whether the client's resolver enables query minimization.

The reason TLSA records are in play for this domain, is that while
the domain's zone is not DNSSEC signed, the MX host's domain is,
and so by default, its TLSA records are still used with Postfix
3.1 and later:

The code does not inspect TLSA records for domains
with an insecure MX RRset.  You can directly test the MX host
to check.  Because is not doing query minimization,
everything checks out.

> I guess some piece of software is wrong...

No, rather the world is complicated, and not everything uses the
same set of configuration options and runs into the same interop

Query minimization provides some additional privacy, but it has
costs in both latency and reliability (runs into more bugs).  It
is suitable for personal machines, but may not yet be wise for

FWIW, The resolver I'm using at the moment is not configured for
query minimization, and so:

    $ posttls-finger -c -l dane
    posttls-finger: using DANE RR: IN TLSA 3 0 1 DC:70:0D:9F:49:F9:D2:D0:6F:86:18:46:86:86:B3:D7:A8:DC:53:4A:CB:D5:F1:51:39:5D:4A:CF:AD:00:56:19
    posttls-finger: MX RRset insecure: log verified as trusted
    posttls-finger:[]:25: depth=0 matched end entity certificate sha256 digest DC:70:0D:9F:49:F9:D2:D0:6F:86:18:46:86:86:B3:D7:A8:DC:53:4A:CB:D5:F1:51:39:5D:4A:CF:AD:00:56:19
    posttls-finger:[]:25: Matched subjectAltName:
    posttls-finger:[]:25: subjectAltName:
    posttls-finger:[]:25 CommonName
    posttls-finger:[]:25:, issuer_CN=COMODO RSA Domain Validation Secure Server CA, fingerprint=38:AC:5C:74:90:66:BA:FE:45:B1:09:31:21:96:F7:C3:55:30:E7:9C, pkey_fingerprint=A0:11:EB:11:CD:BB:E3:A1:C7:F8:B9:AA:A0:E8:02:6B:47:1A:69:28
    posttls-finger: Trusted TLS connection established to[]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)


More information about the dane-users mailing list