On Sat, Sep 06, 2014 at 07:39:34AM +1000, Mark Andrews wrote:
> The problem is the wildcard and the broken wildcard processing, not
> the CNAME. The rcode is wrong as a result, NOERROR != NXDOMAIN.
Yes, that's it, as I eventually also figured out...
> Alternatively adding a non TLSA records at the expected TLSA names
> should work as it should prevent the attempted wilcard lookup in
> the server and the resulting mis-match.
>
> _tlsa._tcp.mail.clarion-hotels.cz TXT "-"
> _tlsa._tcp.mail2.clarion-hotels.cz TXT "-"
Right, indeed:
_25._tcp.mail.clarion-hotels.cz IN TXT "No TLSA RRs here yet"
_25._tcp.mail2.clarion-hotels.cz IN TXT "No TLSA RRs here yet"
should do the job. Thanks, I'll suggest this to them as a better
interim solution.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
