[ Also posted to dane-us...@list.sys4.de ]
Some MTA operators neglect to prune outdated TLSA records with "usage"
DANE-EE(3). As keys or certificates are replaced, they add new matching
TLSA records, never dropping the records matching the outdated keys.
This largely defeats the purpose of key or certificate rollover, since
it blesses (at least in the context of DANE) ongoing misuse of any past
compromise of the old key. And it results in ever growing TLSA records
DNS payload sizes, resulting initially in needlessly large UDP payloads,
and ultimately failover to TCP for every lookup.
It is best to avoid this pattern and prune outdated TLSA records once
the corresponding key (3 1 X) or certificate (3 0 X) is no longer in
use.
Example (current DANE-EE(3) count record holder):
_25._tcp.mail.evocat.net TLSA 3 1 1
83037f6a136945f50dbc4e4cb65d0c154b726992eafb55ba5b3b4e4bcbde9715 ; 2022-05-27 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
379f309bff870568b06756c3ccb321692fdde8e970950ca0cbae3b4595e5b538 ; 2022-07-27 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
a31fdc67764edc9e7bc734b907bd8b514f4616d2e8e2dfbcb01c8dc557acea34 ; 2022-09-25 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
21e1d9438b6528948794244cf1caf5802c6edb5a3415d33d7299c7daadee3834 ; 2022-11-24 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
c7be1ef02c2556cf4f421cb724b0327676d2d144790042a3aa603dfc96fb4a5a ; 2023-01-23 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
8115a64ccf2aa3b7e06c2e0cab0b972ca98eb83c707b68fc725c02195ce8d47f ; 2023-03-25 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
37c12ea11d4cd88c756768308a13587ebdd4fe626f7dc2512e37c85d1fe20d14 ; 2023-05-24 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
196d17a19f5dc1c0ad4a58eb8afff5e07b92ba72cd6d776b941e4233856c0636 ; 2023-07-24 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
3b3ee102ccb95a75ca73b337b4ba88d33b3cff3b1a2309227d71ccd808144482 ; 2023-09-22 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
e896a20362f25d49a869f12ff99878b86e37dc86af38c04c29ab8992a6502f30 ; 2023-11-21 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
7475c707cdf5137eea74ea02f23b81ede7a1b4d2edb65af08c8cc1749a3f5c99 ; 2024-01-21 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
e5949d3fb74344210439161d7bf2fb53e0bc68fe74a1e21a870c8881fbcd5901 ; 2024-03-21 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
31ea43c1733770793b157aa8963a2fc3dfc969ad3c6849c31d33e14ff643615e ; 2024-05-20 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
87e19f49bf9fae3273509940f27931dcf2edd3fc132eb1f2ddbe56e2bc2e0410 ; 2024-07-19 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
a0c849a30b9cf92c206a28723324ed40318a7e2a82e56104959588a795db3669 ; 2024-09-19 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
468e0e2e119ea97bc8ab3c34792fa479dd8ea2d47e62a868020e06dc3d25c304 ; 2024-11-17 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
d6fffb71e83fcec0dde93edbbc1c50b0fdff21dffc78390c309c1cf3dd350370 ; 2025-01-16 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
a2cb82878da95d9bae063340e6312ab7fe85100671899bf13793dc8893e42ac9 ; 2025-03-17 -
present
_25._tcp.mail.evocat.net TLSA 3 1 1
e4ccf3f074a06cd30722fc42df127ef8e682136b40116e6bb77adf9679140f2f ; 2025-05-16 -
present
The authoritative DNS server returns a truncated (TC=1) response,
leading to TCP fallback and high, from my vantage point, latency:
$ dig @ns1.evocat.net +norecur +dnssec +noall +stats -t tlsa
_25._tcp.mail.evocat.net
;; Query time: 1014 msec
;; SERVER: 185.157.233.76#53(ns1.evocat.net) (TCP)
;; WHEN: Mon Jun 23 04:03:04 UTC 2025
;; MSG SIZE rcvd: 2886
By way of comparison, the "A" RRset response fits in UDP and the latency
I see is 5x lower:
$ dig @ns1.evocat.net +norecur +dnssec +noall +stats -t a mail.evocat.net
;; Query time: 201 msec
;; SERVER: 185.157.233.76#53(ns1.evocat.net) (UDP)
;; WHEN: Mon Jun 23 04:04:55 UTC 2025
;; MSG SIZE rcvd: 1106
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
