DANE plus wildcard record
Rob McGee
rob0 at nodns4.us
Sat Jun 15 21:41:15 CEST 2019
On 2019-06-15 13:48, I wrote:
> On 2019-06-15 12:11, I wrote:
>> Testing on a dnsmasq from home I don't get SERVFAIL, just NOERROR.
>
> I still think this is an interesting problem, perhaps a BIND problem.
> The user didn't set a TLSA and might have had no idea about DANE
> ("isn't
> that what Hamlet was?") and yet was unable to get mail from my DANE-
> enabled host.
Logs (from named) of the SERVFAIL:
15-Jun-2019 18:49:00.419 lame-servers: info: no valid RRSIG resolving
'smtp.example.com/DS/IN': 176.56.237.121#53
15-Jun-2019 18:49:00.468 lame-servers: info: no valid RRSIG resolving
'smtp.example.com/DS/IN': 45.119.209.45#53
15-Jun-2019 18:49:00.468 lame-servers: info: no valid DS resolving
'_25._tcp.smtp.example.com/TLSA/IN': 45.119.209.45#53
15-Jun-2019 18:49:00.567 dnssec: info: validating
_25._tcp.smtp.example.com/TLSA: bad cache hit (smtp.example.com/DS)
15-Jun-2019 18:49:00.567 lame-servers: info: broken trust chain
resolving '_25._tcp.smtp.example.com/TLSA/IN': 176.56.237.121#53
This was after "rndc flushtree example.com", so I am still not sure what
the error means.
Hmm, why is it wanting DS for smtp.example.com? That's not a zone, it
is only an A record in example.com.
--
http://rob0.nodns4.us/
More information about the dane-users
mailing list