validation problem
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Sep 4 17:00:05 CEST 2018
> On Sep 4, 2018, at 10:39 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> An alternative fix is to disable qname-minimization (which does
> run into interop issues in such cases):
>
> server:
> qname-minimisation: no
>
> Then you'll find that the TLSA records actually exist! And mail
> to this domain will be partly protected by DANE (barring forged
> MX records, which leave forensic evidence in your logs).
I should mention that at least four domains with the MX host in question
are also DNSSEC-signed, so disabling DNSSEC would disable DANE for
those four domains:
enterprise-email.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1
marcriemer.de. IN MX 10 login.enterprise-email.com. ; NoError AD=1
marcriemer.de. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1
weliano.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1
weliano.com. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1
flexiconf.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1
flexiconf.com. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1
login.enterprise-email.com[95.128.200.159]: pass: TLSA match: depth = 0, name = login.enterprise-email.com
cert sha256 [matched] <- 3 0 1 ebb423a21d60370e9f9df7e5fdef08518748142c4411749758e386c560f05eba
smtp-in20.enterprise-email.com[46.235.201.57]: pass: TLSA match: depth = 0, name = smtp-in20.enterprise-email.com
cert sha256 [matched] <- 3 0 1 3f82f164796edead461434a60f13bf21416e6fba5f15c9a08c6483b644f81009
smtp-in20.enterprise-email.com[2a00:1200:0:9::65b]: pass: TLSA match: depth = 0, name = smtp-in20.enterprise-email.com
cert sha256 [matched] <- 3 0 1 3f82f164796edead461434a60f13bf21416e6fba5f15c9a08c6483b644f81009
So you can have either qname-minimization, or unimpeded delivery to this
and similar domains. You might reach out the tech-support team at
enterprise-email.com and ask them to fix their nameservers, the mishandling
of empty non-terminals needs to be fixed.
--
Viktor.
More information about the dane-users
mailing list