On Thu, Jun 09, 2016 at 01:10:54PM +0200, Andreas Schulze wrote:
> we have a message to *@transfennica.com. Postfix lookup the MX (
> mail.spliethoff.nl) and try to validate vi DANE.
> That fail:
> Jun 9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for
> transfennica.com/mail.spliethoff.nl: TLSA lookup error for
> mail.spliethoff.nl:25
> Jun 9 11:55:00 mail postfix/smtp[12345]: warning: TLS policy lookup for
> transfennica.com/smtp.spliethoff.nl: TLSA lookup error for
> smtp.spliethoff.nl:25
> Jun 9 11:55:00 mail postfix/smtp[12345]: QUEUEID:
> to=<[email protected]>, relay=none, delay=0.75,
> delays=0.13/0/0.62/0, dsn=4.7.5, status=deferred (TLSA lookup error for
> smtp.spliethoff.nl:25)
>
> OK, I went to dane.sys4.de, (thanks for the service) but simply got
> "transfennica.com don't use DNSSEC"
> It would be helpful the validator would do the MX lookup and check the MX
> hosts like postfix does.
Right, Postfix 3.1 by defaults also enables "half-dane" for signed
MX hosts of unsigned domains. The validator does not support this.
The simplest solution is to test the domain of the MX host.
$ dig +noall +ans +nocl +nottl -t mx spliethoff.nl | sort -k3n
spliethoff.nl. CNAME spliethoff.com.
spliethoff.com. MX 10 mail.spliethoff.nl.
spliethoff.com. MX 20 fw.spliethoff.nl.
spliethoff.com. MX 80 smtp.spliethoff.nl.
This is a secure delegation to a zone which contains a CNAME at
the zone apex, along with DNSKEY and SOA records, this is not legal
AFAIK. It is surely a good way to trigger DNSSEC interoperability
problems. Also the RRSIG lifetime is ~10000 days, that's a lot
of optimism about the security of the keys...
Amazingly, unbound seems to cope:
$ dig +noall +ans +nocl +nottl -t mx spliethoff.com | sort -k3n
spliethoff.com. MX 10 mail.spliethoff.nl.
spliethoff.com. MX 20 fw.spliethoff.nl.
spliethoff.com. MX 80 smtp.spliethoff.nl.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10499
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;_25._tcp.mail.spliethoff.nl. IN TLSA
spliethoff.nl. SOA ns01.is.nl. postmaster.is.nl. 2016053000
14400 3600 604800 856071724
spliethoff.nl. RRSIG SOA 8 2 86400 20160623000000 20160609000000
51946 spliethoff.nl. uqwk6b8F8cTJBBtdT/CV2LnPQdpD1LOpV1rVROH/XLg/hA1e2ncmy8wf
zIBZA0XI8yKsNbAlgvRDomOCqrjjioqOl8Gav5mfEaSofxblBjc2d1oK
vBhBI5mrFyWlQpO9SiEqrYniecPs70+LcLhvwBRrh7SHH+xJ5EZ9hlcC d/E=
mail.spliethoff.nl. NSEC mijn.spliethoff.nl. A RRSIG NSEC
mail.spliethoff.nl. RRSIG NSEC 8 3 856071724 20160623000000
20160609000000 51946 spliethoff.nl.
kzMKDzXkFioPrEA3rgrwuDh6PwP0fFEfLRH2Z20BX1BkyGmj7YlStUyq
I45VogyfZ13MjgdrXX05qWJLACpPkAiMkN5jxSFr/Ke2U/ErviHpbW4B
ndGydcZq7/90N8ZTgbeRPEAEyTy8LNqPH8VPw4iGC2g4LeYNH9vw56W5 tY4=
spliethoff.nl. NSEC _autodiscover._tcp.spliethoff.nl. NS CNAME
SOA MX TXT RRSIG NSEC DNSKEY
spliethoff.nl. RRSIG NSEC 8 2 856071724 20160623000000
20160609000000 51946 spliethoff.nl.
NmVyFCOMwmp6uvOeojQKcgZiim3hcsS+I5WVXHDnsrBHXa2avpyAySPv
TQwT1r/CkjpyesVSShT8P8jN2QucZ/zcB0oLysY04+rYrjBiB0nW+MlK
16DSsq3m/8dQc094FhehWFVnCnvLxoIicDZjJHviYecC4c4z4i7DT4Dp U4g=
With DNS issues like this, go to dnsviz.net:
Cached data:
http://dnsviz.net/d/_25._tcp.mail.spliethoff.nl/dnssec/
Forced refresh:
http://dnsviz.net/d/_25._tcp.mail.spliethoff.nl/analyze/
The admin of this domain has gone far out of his way to mess it up...
--
Viktor.
