Thanks for the email. According to the report, the CNAME lookup of _25._tcp.open.nlnetlabs.nl is bogus. However it is not, so there is a problem with my CNAME chaser.
I'll check it out. > On Sep 7, 2015, at 4:46 PM, Viktor Dukhovni <[email protected]> wrote: > > On Mon, Sep 07, 2015 at 08:10:38PM +0000, Viktor Dukhovni wrote: > >> And yet the validator claims the TLSA RRset is "bogus", >> reports failure: >> >> http://ec2.simson.net/dane_check.cgi?host=openssl.org >> >> BOGUS DNS CNAME lookup _25._tcp.mta.openssl.org. = >> wildcard._dane.openssl.org. >> >> Something's not quite right here... > > The issue seems to be systemic: > > http://ec2.simson.net/dane_check.cgi?host=nlnetlabs.nl > > BOGUS DNS CNAME lookup _25._tcp.nlnetlabs.nl = > 3.1.1._dane-both.nlnetlabs.nl. > > http://ec2.simson.net/dane_check.cgi?host=spodhuis.org > > BOGUS DNS CNAME lookup _25._tcp.mx.spodhuis.org. = > _globnix-tlsa.spodhuis.org. > > http://ec2.simson.net/dane_check.cgi?host=wizmail.org > > BOGUS DNS CNAME lookup _25._tcp.wizmail.org. = _cert301.wizmail.org. > > All three are in fact fine. So the handling of TLSA CNAMEs seems > to be broken. > > -- > Viktor.
