validation problem

[Viktor Dukhovni]

> On Sep 4, 2018, at 10:39 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> An alternative fix is to disable qname-minimization (which does
> run into interop issues in such cases):
> 
>   server:
>      qname-minimisation: no
> 
> Then you'll find that the TLSA records actually exist!  And mail
> to this domain will be partly protected by DANE (barring forged
> MX records, which leave forensic evidence in your logs).

I should mention that at least four domains with the MX host in question
are also DNSSEC-signed, so disabling DNSSEC would disable DANE for
those four domains:

 enterprise-email.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1
 marcriemer.de. IN MX 10 login.enterprise-email.com. ; NoError AD=1
 marcriemer.de. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1
 weliano.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1
 weliano.com. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1
 flexiconf.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1
 flexiconf.com. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1
  login.enterprise-email.com[95.128.200.159]: pass: TLSA match: depth = 0, name = login.enterprise-email.com
      cert sha256 [matched] <- 3 0 1 ebb423a21d60370e9f9df7e5fdef08518748142c4411749758e386c560f05eba
  smtp-in20.enterprise-email.com[46.235.201.57]: pass: TLSA match: depth = 0, name = smtp-in20.enterprise-email.com
      cert sha256 [matched] <- 3 0 1 3f82f164796edead461434a60f13bf21416e6fba5f15c9a08c6483b644f81009
  smtp-in20.enterprise-email.com[2a00:1200:0:9::65b]: pass: TLSA match: depth = 0, name = smtp-in20.enterprise-email.com
      cert sha256 [matched] <- 3 0 1 3f82f164796edead461434a60f13bf21416e6fba5f15c9a08c6483b644f81009

So you can have either qname-minimization, or unimpeded delivery to this
and similar domains.  You might reach out the tech-support team at
enterprise-email.com and ask them to fix their nameservers, the mishandling
of empty non-terminals needs to be fixed.

-- 
	Viktor.