Hello This MTA is a dual stack postfix machine, which also has a dual stack resolver running.
When testing DANE to a remove IPv4 only MTA, i see an attempt to lookup a non-existent AAAA record by posttls-finger. The remote site has only IPv4 records in the zone, except for the zone NS records, which come from dual stack revolvers (which are auth). > me@mta:/#posttls-finger -v -c -l dane -P/etc/ssl/certs domain1.com.au posttls-finger: name_mask: dns posttls-finger: name_mask: routine posttls-finger: name_mask: certmatch posttls-finger: name_mask: routine posttls-finger: name_mask: certmatch posttls-finger: name_mask: ipv6 posttls-finger: name_mask: ipv4 posttls-finger: inet_addr_local: configured 2 IPv4 addresses posttls-finger: inet_addr_local: configured 3 IPv6 addresses posttls-finger: parse_destination: domain1.com.au smtp posttls-finger: dns_query: domain1.com.au (MX): OK posttls-finger: dns_get_answer: type MX for domain1.com.au posttls-finger: dns_get_answer: type RRSIG for domain1.com.au posttls-finger: addr_one: host mta.domain1.com.au posttls-finger: lookup mta.domain1.com.au type A flags 8388608 posttls-finger: dns_query: mta.domain1.com.au (A): OK posttls-finger: dns_get_answer: type A for mta.domain1.com.au posttls-finger: dns_get_answer: type RRSIG for mta.domain1.com.au posttls-finger: lookup mta.domain1.com.au type AAAA flags 8388608 posttls-finger: dns_query: mta.domain1.com.au (AAAA): Host found but no data record of requested type posttls-finger: no TLSA records found, resorting to "secure" The (slave) resolver on this box contains the AD records for the remote domain. I don't seem to have DANE issues with any other remote DANE enabled domains. As a test, when I issue the same query on the actual remote MTA, he receives the TLSA record successfully and is able to Verify the TLS. > me@mta2:/#posttls-finger -v -c -l dane -P/etc/ssl/certs domain1.com.au posttls-finger: inet_addr_local: configured 2 IPv4 addresses posttls-finger: parse_destination: domain1.com.au smtp posttls-finger: dns_query: domain1.com.au (MX): OK posttls-finger: dns_get_answer: type MX for domain1.com.au posttls-finger: dns_get_answer: type RRSIG for domain1.com.au posttls-finger: addr_one: host mta.domain1.com.au posttls-finger: lookup mta.domain1.com.au type A flags 8388608 posttls-finger: dns_query: mta.domain1.com.au (A): OK posttls-finger: dns_get_answer: type A for mta.domain1.com.au posttls-finger: dns_get_answer: type RRSIG for mta.domain1.com.au posttls-finger: dns_query: _25._tcp.mta.domain1.com.au (TLSA): OK posttls-finger: dns_get_answer: type TLSA for _25._tcp.mta.domain1.com.au posttls-finger: dns_get_answer: type RRSIG for _25._tcp.mta.domain1.com.au posttls-finger: using DANE RR: _25._tcp.mta.domain1.com.au IN TLSA 3 1 1 EC:xxx (blah) Any thoughts as to why posttls-finger / postfix are seeking a non-existent AAAA record ? Mal
