DANE plus wildcard record

Rob McGee rob0 at nodns4.us
Sat Jun 15 19:11:29 CEST 2019

Hi all, first post here.  Hi Viktor and the sys4.de gang.

I host a mailing list for a free software project with DANE enabled both
ways.  No need for secrecy there, it's Slackbuilds.org.

One of my subscribers recently signed his or her zone, and sadly, has a
wildcard A in that zone.  Unfortunately at this point I do have to keep
that zone name private, although offlist I'd tell it to someone I know
and consider trustworthy to maintain the user's confidence.

Oh, if you consult your dane.sys4.de logs for a bit ago, I suppose I
already DID tell you the zone name. :)  Starts with "a" and is in com.
TLD.  The checker reports "DNS lookup error for TLSA records: SERVFAIL",
which is what I get on the named recursive resolver that Postfix is
using, querying "_25._tcp.smtp.example.com./IN/TLSA".

So Postfix is refusing to deliver, believing that there should be a
TLSA.  But AFAIK this user never published TLSA.

The SOA MNAME host has disabled version.bind./CH/TXT lookups so I am
not sure what software is in use, but having A for an invalid hostname
(underscores not allowed in hostnames) would be a problem for BIND
named, which by default would not allow that.  But I don't know how
that feature interacts with wildcard records.

Testing on a dnsmasq from home I don't get SERVFAIL, just NOERROR.

More information about the dane-users mailing list