On Wed, Sep 03, 2014 at 02:40:09PM +, Viktor Dukhovni wrote:
$ dig +cd +dnssec +noall +comment +ans +auth -t tlsa
fail.mail2.clarion-hotels.cz
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 63426
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 6,
Hi,
we encounter an issue with DANE-enabled Postfix
trying to deliver mail to a DNSSEC-enabled domain
that has no specific TLSA records for its MX but
obviously a wildcard CNAME entry:
Sep 3 14:18:47 mailout1 postfix/smtp[30772]: warning: DANE TLSA lookup
problem: Host or domain name not
Robert Sander:
Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
Hi,
we encounter an issue with DANE-enabled Postfix
trying to deliver mail to a DNSSEC-enabled domain
that has no specific TLSA records for its MX but
obviously a wildcard CNAME entry:
Sep 3
On Wed, Sep 03, 2014 at 02:25:06PM +0200, Robert Sander wrote:
Sep 3 14:18:47 mailout1 postfix/smtp[30772]: warning: DANE TLSA lookup
problem: Host or domain name not found. Name service error for
name=_25._tcp.mail2.clarion-hotels.cz type=TLSA: Host not found, try again
$ host -t tlsa
Viktor Dukhovni:
On Wed, Sep 03, 2014 at 02:25:06PM +0200, Robert Sander wrote:
Sep 3 14:18:47 mailout1 postfix/smtp[30772]: warning: DANE TLSA lookup
problem: Host or domain name not found. Name service error for
name=_25._tcp.mail2.clarion-hotels.cz type=TLSA: Host not found, try
Wietse Venema:
Robert Sander:
Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
Hi,
we encounter an issue with DANE-enabled Postfix
trying to deliver mail to a DNSSEC-enabled domain
that has no specific TLSA records for its MX but
obviously a wildcard
On Wed, Sep 03, 2014 at 10:43:21AM -0400, Wietse Venema wrote:
I don't see a CNAME, I get SERVFAIL:
Actually, this depends on your resolver. Search your favorite
search engine for DNSSEC wildcard.
Unbound is supposed to handle this correctly. It also SERVFAILs
at Google's 8.8.8.8