In message <[email protected]>, Viktor Dukhovni writes: > On Fri, Sep 05, 2014 at 09:05:33AM +1000, Mark Andrews wrote: > > > > Yes, in fact between posting and reading your answer, I went off > > > and did some reading. The problem as I now understand it seems to > > > be that: > > > > > > 1. *.clarion-hotels.cz IN CNAME exists. > > > 2. mail2.clarion-hotels.cz exists. > > > 3. _tcp.mail2.clarion-hotels.cz does not exist. > > > > > > and finally, the nameservers for clarion-hotels.cz incorrectly > > > apply the wildcard CNAME to a child of an existing sibling node > > > (mail2). This is detected as an error by various validating > > > resolvers. > > > > > > Is this right? > > > > Yes. > > Thanks. I wrote to the operators of the DNS servers, and they are > planning to fix the bug, but implemented a short-term work-around, > where the wildcard CNAME was replaced by wildcard A record. However > the work-around is not working to the satisfaction of my resolver, > any idea why?
The problem is the wildcard and the broken wildcard processing, not the CNAME. The rcode is wrong as a result, NOERROR != NXDOMAIN. Getting rid of the wild card and adding explict address records for every name the http server is configured fore plus anything else depending on the wildcard will work. Alternatively adding a non TLSA records at the expected TLSA names should work as it should prevent the attempted wilcard lookup in the server and the resulting mis-match. _tlsa._tcp.mail.clarion-hotels.cz TXT "-" _tlsa._tcp.mail2.clarion-hotels.cz TXT "-" Alternatively they could configure the MTAs to support STARTTLS and add TLSA records. Mark > $ dig +dnssec +norecur -t tlsa _25._tcp.mail2.clarion-hotels.cz > @ns.forpsi.net > ; <<>> DiG 9.8.3-P1 <<>> +dnssec +norecur -t tlsa > _25._tcp.mail2.clarion-hotels.cz @ns.forpsi.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31810 > ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;_25._tcp.mail2.clarion-hotels.cz. IN TLSA > > ;; AUTHORITY SECTION: > clarion-hotels.cz. 3600 IN SOA ns.forpsi.net. > admin.forpsi.com. 2014090502 3600 1800 2592000 3600 > clarion-hotels.cz. 3600 IN RRSIG SOA 5 2 3600 > 20141005113302 20140905113302 13077 clarion-hotels.cz. > Y4JCzy6U/fMI2tz+pLfQ1mFD2h1jxRMJ7nUwXS0cxlE9xcN8QFibwC75 > BBivVbf3Xb2oPXJTRTvkkUAXR1wziOCy/qvK4LyNFX2ENn2aKGn3i93H LrHM > /5u1IoeG4niXbS22Tue3FEgYKcSX7UA5PDDQAQs2o+jX9IbwYawC teM= > *.clarion-hotels.cz. 3600 IN NSEC mail.clarion-hotels.cz. A > RRSIG NSEC > *.clarion-hotels.cz. 3600 IN RRSIG NSEC 5 2 3600 > 20141005113302 20140905113302 13077 clarion-hotels.cz > . lSf+ySQxo+sXxtuEZEIy7YghFeQnFlDd7vkZA8XO/ahgAzgxHZkAsQXk > RjoJVCLd3E3FgX55Pu0RA6IQVn1ynZFYp3l1P24bC93+l3vszNsnMKnD qqj > NIIzeYanNfkI34kdPpj5C1HhtrC1ZUhRwryphsKXX9KYFB/B4i+47 U2E= > mail2.clarion-hotels.cz. 3600 IN NSEC clarion-hotels.cz. A > RRSIG NSEC > mail2.clarion-hotels.cz. 3600 IN RRSIG NSEC 5 3 3600 > 20141005113302 20140905113302 13077 clarion-hotels.cz > . lX8m4n9dL8/055WYsv5LW/D9L7257lzOv9QAynpBlJiShQkYRFsAc9rT > ZFdrCeahWXg01/jGVrUNoxwJUUxUobt8GFcTiXHvI/w5ej6rsc80tUVT BCn > W9WsJBNiz7hDN8Ac3V8gKE77Td2TZxJpPtRdAOTW4mc6E04XsLIL7 XmQ= > > ;; Query time: 130 msec > ;; SERVER: 81.2.194.130#53(81.2.194.130) > ;; WHEN: Fri Sep 5 11:04:38 2014 > ;; MSG SIZE rcvd: 742 > > This time there is no erroneous wildcard CNAME response, just > ANSWER:0, and some NSEC records in the authority section. In > particular there is an NSEC record that should prove absense of > anything after "mail2", thus denying "_tcp.mail2"... > > What's wrong now? Oddly enough when I ask for "mail3.<etc> IN TLSA > ?" the resolver is happy with a "NODATA" response, containing > exactly the same records. So these records constitute proof that > "mail3" does not exist, but somehow fail to prove that "_tcp.mail2" > does not? > > -- > Viktor. > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
