Viktor, Thanks for finding this.
The problem appears to with getdns... it's returning that CNAME lookups are bogus when in fact they are not. I have filed a ticket request with the getdns team. https://github.com/getdnsapi/getdns-python-bindings/issues/33 <https://github.com/getdnsapi/getdns-python-bindings/issues/33> Until this is resolved, people should not use my validator, as the results are untrustworthy with regards to CNAME records. Simson > On Sep 7, 2015, at 4:46 PM, Viktor Dukhovni <[email protected]> wrote: > > On Mon, Sep 07, 2015 at 08:10:38PM +0000, Viktor Dukhovni wrote: > >> And yet the validator claims the TLSA RRset is "bogus", >> reports failure: >> >> http://ec2.simson.net/dane_check.cgi?host=openssl.org >> >> BOGUS DNS CNAME lookup _25._tcp.mta.openssl.org. = >> wildcard._dane.openssl.org. >> >> Something's not quite right here... > > The issue seems to be systemic: > > http://ec2.simson.net/dane_check.cgi?host=nlnetlabs.nl > > BOGUS DNS CNAME lookup _25._tcp.nlnetlabs.nl = > 3.1.1._dane-both.nlnetlabs.nl. > > http://ec2.simson.net/dane_check.cgi?host=spodhuis.org > > BOGUS DNS CNAME lookup _25._tcp.mx.spodhuis.org. = > _globnix-tlsa.spodhuis.org. > > http://ec2.simson.net/dane_check.cgi?host=wizmail.org > > BOGUS DNS CNAME lookup _25._tcp.wizmail.org. = _cert301.wizmail.org. > > All three are in fact fine. So the handling of TLSA CNAMEs seems > to be broken. > > -- > Viktor.
