Postfix with DANE enabled is unable to deliver mail to mailboxes
in the "clarion-hotels.cz" domain (validating recursive resolvers
SERVFAIL TLSA lookups). The domain is DNSSEC signed:
$ dig +ad +noall +comment +ans -t mx clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25470
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
clarion-hotels.cz. 1799 IN MX 10 mail.clarion-hotels.cz.
clarion-hotels.cz. 1799 IN MX 20 mail2.clarion-hotels.cz.
However, it also sports a wildcard CNAME:
$ dig +cd +norecur +dnssec +vc -t CNAME "*.clarion-hotels.cz." @ns.forpsi.cz
; <<>> DiG 9.8.0rc1 <<>> +cd +norecur +dnssec +vc -t CNAME
*.clarion-hotels.cz. @ns.forpsi.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17866
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.clarion-hotels.cz. IN CNAME
;; ANSWER SECTION:
*.clarion-hotels.cz. 1800 IN CNAME clarion-hotels.cz.
*.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800
20140924121306 20140825121306 13077 clarion-hotels.cz.
M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb
C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow
eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
;; AUTHORITY SECTION:
clarion-hotels.cz. 3600 IN NS ns.forpsi.net.
clarion-hotels.cz. 3600 IN NS ns.forpsi.it.
clarion-hotels.cz. 3600 IN NS ns.forpsi.cz.
clarion-hotels.cz. 3600 IN RRSIG NS 5 2 3600 20140924121306
20140825121306 13077 clarion-hotels.cz.
E+Cj1pVvA9v/VP0b2AaOZpENNYiHScIVbXt+h5bpkkl6/iivoTxtORS3
xFCM+mcqkmgQf3xxo9eB0AwbKdf1Mjk4MB4GMn0m2XicWmdRPzHld57Y
qr3vorVvOx1OKigLz3LHhYNzp4nC4qIZ1xqhTstgovnlr8I8QB6fhhnu wB4=
*.clarion-hotels.cz. 3600 IN NSEC mail.clarion-hotels.cz.
CNAME RRSIG NSEC
*.clarion-hotels.cz. 3600 IN RRSIG NSEC 5 2 3600
20140924121306 20140825121306 13077 clarion-hotels.cz.
jlZzNSRlMVDZ2YFPwJJLy7ba37h4w35+C3ge7iikVx03zIQWiBweU3hJ
agqn/eCW8LnKGoDBvTUakvEenPnf9P4PUdOCL3/2trHLyLMv4NCafLaT
n3d8OSbj6VWCKR1LWNSIcp3es3FbAsdWJtmcXe4oAKSP4i2dBmSEPq/F nS8=
;; ADDITIONAL SECTION:
ns.forpsi.net. 1800 IN A 81.2.194.130
ns.forpsi.net. 1800 IN AAAA 2001:15e8:101:1::c282
ns.forpsi.it. 1800 IN A 62.149.230.87
ns.forpsi.cz. 1800 IN A 81.2.209.185
ns.forpsi.cz. 1800 IN RRSIG A 5 3 1800
20141004100806 20140904100806 27135 forpsi.cz.
Nzo4Ma5iB8QFY6IERC3KLLRPkxsSQgBJgFMQHLl8AGuhaNwEeDLUaYz/
ZPjfiH2Rqchc5VV+nWV63gYhVGa4UB2fFLoFFn3L8Y6uTcBe3c7m3AaP
ltUcrI2Wi7lR6Pf8DkncvtLLaumkRQ6FNkpYjyC/jkbVOMyP1r87TYXZ L78=
ns.forpsi.cz. 1800 IN AAAA 2001:15e8:201:1::d1b9
ns.forpsi.cz. 1800 IN RRSIG AAAA 5 3 1800
20141004100806 20140904100806 27135 forpsi.cz.
TF1AWJD3Wcun92QwS1+ZBy29Zi2qIkBWlYqUeFHGxyQhSlcSAWEt+oOr
aTyqk79M38mH7TkFzrCBof+TAc6nM9JSOjm9RfmFQ0FVyM1cpmDxD79W
coBeQcGStVofuvdKeuhZG2oiMyBKrbyUFZw1mgI0bupVs1daIy+zzdcQ 43c=
;; Query time: 104 msec
;; SERVER: 2001:15e8:201:1::d1b9#53(2001:15e8:201:1::d1b9)
;; WHEN: Thu Sep 4 19:57:58 2014
;; MSG SIZE rcvd: 1156
I think the DNS servers in question don't correctly handle CNAMEs
and DNSSEC and this impacts TLSA queries for non-existent records
(SERVFAIL with many validating resolvers). The response does not
include the "*.clarion-hotels.cz" RR and RRSIG). Instead we have,
just the requested query name with an RRSIGS as below:
_25._tcp.mail.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800 \
20140924121306 20140825121306 13077 clarion-hotels.cz. \
M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb \
C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow \
eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
_25._tcp.mail2.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800 \
20140924121306 20140825121306 13077 clarion-hotels.cz. \
M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb \
C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow \
eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
The suprising thing is that for two different qnames the RRSIG is
the same, and in fact the same as for the wildcard qname! If RRSIGs
depended only on the RDATA and not on the qname, surely there'd be
serious integrity issues with DNSSEC. So I think that the
authoritative servers for this domain are busted, is that correct?
More complete server responses below (left out the authority and
additional sections to avoid needless clutter):
$ dig +cd +norecur +dnssec +vc -t tlsa "_25._tcp.mail.clarion-hotels.cz."
@ns.forpsi.cz
; <<>> DiG 9.8.0rc1 <<>> +cd +norecur +dnssec +vc -t tlsa
_25._tcp.mail.clarion-hotels.cz. @ns.forpsi.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33941
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mail.clarion-hotels.cz. IN TLSA
;; ANSWER SECTION:
_25._tcp.mail.clarion-hotels.cz. 1800 IN CNAME clarion-hotels.cz.
_25._tcp.mail.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800
20140924121306 20140825121306 13077 clarion-hotels.cz.
M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb
C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow
eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
$ dig +cd +norecur +dnssec +vc -t tlsa "_25._tcp.mail2.clarion-hotels.cz."
@ns.forpsi.cz
; <<>> DiG 9.8.0rc1 <<>> +cd +norecur +dnssec +vc -t tlsa
_25._tcp.mail2.clarion-hotels.cz. @ns.forpsi.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44567
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mail2.clarion-hotels.cz. IN TLSA
;; ANSWER SECTION:
_25._tcp.mail2.clarion-hotels.cz. 1800 IN CNAME clarion-hotels.cz.
_25._tcp.mail2.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800
20140924121306 20140825121306 13077 clarion-hotels.cz.
M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb
C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow
eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
