• Tobias Fiebig via mailop [2024-06-10 14:09]: > Moin, > are you sure the RRset is not inadvertently bogus? Can slip by rather > easily for a set of reasons; Old RRSIGs vor example after one of the > entries got updated?
no. LE TLSA RRs are generated automatically based on URL lists, so there are neither dupes nor errors. zones are signed by ldns-signzone prior to getting distributed to name servers for publishing. > If not; Out of personal curiosity; can you test where 'the boundary' is > to trigger the error? should be doable with like 4 test domains max > (bin-search starting at 7 RR in the set). _that_ was an interesting challenge indeed! the answer I got is 12: 12 TLSA RRs are OK, but when there are 13 or 14, emails are stuck somewhere and would later trigger error message later on. (for sake of completeness, I went all way with domains from 6 to 14 TLSA RRs) > With best regards, > Tobias > > On Mon, 2024-06-10 at 12:36 +0200, Kirill Miazine via mailop wrote: > > Apparently exchange online would provide an error to the user like > > this: > > > > dnssec-invalid: Destination domain returned invalid DNSSEC records > > > > https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/ndr/non-delivery-reports-in-exchange-online > > > > explains what this really means: > > > > The destination domain indicated it was DNSSEC-authentic, but > > Exchange > > Online wasn't able to verify it as DNSSEC-authentic. > > > > So the guess is that Exchange Online is getting in trouble when there > > are more than a few TLSA records... > > > > • Kirill Miazine via mailop [2024-06-10 12:06]: > > > Although there are better alternatives to 2 1 1 with Let's Encrypt, > > > some > > > still use 2 1 1, and it seems Exchange Online is not happy when > > > there > > > are 14 TLSA records (why 14? because > > > https://letsencrypt.org/certificates/)... A good reason to not use > > > 2 1 > > > 1.... > > > > > > ; TLSA - LE certs published at > > > https://letsencrypt.org/certificates/ > > > -_le-tlsa TLSA 2 1 1 > > > 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; > > > LE E1 > > > - TLSA 2 1 1 > > > bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; > > > LE E2 > > > - TLSA 2 1 1 > > > 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; > > > LE R3 > > > - TLSA 2 1 1 > > > e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; > > > LE R4 > > > +_le-tlsa TLSA 2 1 1 > > > 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8 ; > > > LE > > > + TLSA 2 1 1 > > > d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7 > > > + TLSA 2 1 1 > > > 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba > > > + TLSA 2 1 1 > > > 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 > > > + TLSA 2 1 1 > > > cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 > > > + TLSA 2 1 1 > > > 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5 > > > + TLSA 2 1 1 > > > f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2 > > > + TLSA 2 1 1 > > > 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4 > > > + TLSA 2 1 1 > > > 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d > > > + TLSA 2 1 1 > > > f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 > > > + TLSA 2 1 1 > > > 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d > > > + TLSA 2 1 1 > > > 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 > > > + TLSA 2 1 1 > > > e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 > > > + TLSA 2 1 1 > > > bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 > > > _______________________________________________ > > > mailop mailing list > > > mailop@mailop.org > > > https://list.mailop.org/listinfo/mailop > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > -- > Dr.-Ing. Tobias Fiebig > T +31 616 80 98 99 > M tob...@fiebig.nl > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- -- Kirill Miazine <k...@krot.org> _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
