DANE plus wildcard record

Rob McGee rob0 at nodns4.us
Sat Jun 15 21:41:15 CEST 2019


On 2019-06-15 13:48, I wrote:
> On 2019-06-15 12:11, I wrote:
>> Testing on a dnsmasq from home I don't get SERVFAIL, just NOERROR.
> 
> I still think this is an interesting problem, perhaps a BIND problem.
> The user didn't set a TLSA and might have had no idea about DANE 
> ("isn't
> that what Hamlet was?") and yet was unable to get mail from my DANE-
> enabled host.

Logs (from named) of the SERVFAIL:

15-Jun-2019 18:49:00.419 lame-servers: info: no valid RRSIG resolving 
'smtp.example.com/DS/IN': 176.56.237.121#53
15-Jun-2019 18:49:00.468 lame-servers: info: no valid RRSIG resolving 
'smtp.example.com/DS/IN': 45.119.209.45#53
15-Jun-2019 18:49:00.468 lame-servers: info: no valid DS resolving 
'_25._tcp.smtp.example.com/TLSA/IN': 45.119.209.45#53
15-Jun-2019 18:49:00.567 dnssec: info: validating 
_25._tcp.smtp.example.com/TLSA: bad cache hit (smtp.example.com/DS)
15-Jun-2019 18:49:00.567 lame-servers: info: broken trust chain 
resolving '_25._tcp.smtp.example.com/TLSA/IN': 176.56.237.121#53

This was after "rndc flushtree example.com", so I am still not sure what
the error means.

Hmm, why is it wanting DS for smtp.example.com?  That's not a zone, it
is only an A record in example.com.
-- 
   http://rob0.nodns4.us/


More information about the dane-users mailing list