Re: posttls-finger / DANE failure

Tue, 17 Oct 2017 01:45:46 -0700 

> On Oct 17, 2017, at 3:58 AM, Mal <m...@jetlan.com> wrote:
> 
>> There's no such thing as "AD records". 
> 
> Was just a shortcut for 'Authoritative domain record'.

I've never seen that phrase before.

> The zone exists on that resolver and is queried directly.
> Will avoid lo[o]se english in future.

So it seems that the machine in question has the authoritative
server for the zone as its recursive server.  Such mixing of
authoritative and recursive workloads is discouraged these days,
and critically, it breaks DANE in Postfix for any authoritative
zones, because authoritative servers are not validating resolvers,
and don't set the AD bit in authoritative replies.  As seen below:

>> Post the (unobfuscated) output
> 
> malz@Woody:~$ domain="signsinc.com.au"
> malz@Woody:~$ dig +noall +comment +ans +auth +nocl +nottl -t mx "$domain."
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55931
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 8

No "ad" bit in the "flags:" field.

> signsinc.com.au.        MX      20 access.signsinc.com.au.

So the MX record is not seen as "secure" by Postfix.

> malz@Woody:~$ for mx in $(dig +short -t mx $domain | sort -n | awk
> '{print $2}')
>> do
>>  dig +noall +comment +ans +auth +nocl +nottl -t a "$mx"
>>  dig +noall +comment +ans +auth +nocl +nottl -t aaaa "$mx"
>>  dig +noall +comment +ans +auth +nocl +nottl -t tlsa "_25._tcp.$mx"
>> done
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37823
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7

No "ad" bit here either.

> access.signsinc.com.au. A       150.101.252.86

The A record is not seen as "secure" by Postfix.

On my server the authoritative BIND nameserver listens on the 
external public IP address, while the validating unbound resolver
listens on 127.0.0.1 and the internal network interface.  The
"/etc/resolv.conf" file lists 127.0.0.1, so DNS queries from
applications go to unbound, not BIND.  The "unbound" server
is configured to do DNSSEC validation, and queries BIND setting
the "ad" bit as/when appropriate.

The BIND server refuses recursion, while the unbound server
serves no authoritative zones.

-- 
        Viktor.

Reply via email to