On Wed, Sep 03, 2014 at 02:25:06PM +0200, Robert Sander wrote:
> Sep 3 14:18:47 mailout1 postfix/smtp[30772]: warning: DANE TLSA lookup
> problem: Host or domain name not found. Name service error for
> name=_25._tcp.mail2.clarion-hotels.cz type=TLSA: Host not found, try again
> $ host -t tlsa _25._tcp.mail2.clarion-hotels.cz
> _25._tcp.mail2.clarion-hotels.cz is an alias for clarion-hotels.cz.
I don't see a CNAME, I get SERVFAIL:
$ dig +ad +noall +comment +ans +auth -t tlsa
_25._tcp.mail2.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8100
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
Which is consistent with the above log entry. The problem
is generic to all sub-domains of the MX hostname in question:
$ dig +ad +noall +comment +ans +auth -t a fail.mail2.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11576
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> I believe that Postfix stumbles across the unexpected
> CNAME record, that does not have a TLSA record.
No, DNSSEC signature problems are detected in the validating
resolver, not in Postfix. Disabling validation returns the following,
which presumably is either wrong or exposes a bug in unbound.
$ dig +cd +dnssec +noall +comment +ans +auth -t tlsa
fail.mail2.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63426
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; ANSWER SECTION:
fail.mail2.clarion-hotels.cz. 1430 IN CNAME clarion-hotels.cz.
fail.mail2.clarion-hotels.cz. 1430 IN RRSIG CNAME 5 2 1800
20140924121306 20140825121306 13077 clarion-hotels.cz.
M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb
C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow
eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
;; AUTHORITY SECTION:
mail2.clarion-hotels.cz. 2759 IN NSEC clarion-hotels.cz. A
RRSIG NSEC
mail2.clarion-hotels.cz. 2759 IN RRSIG NSEC 5 3 3600
20140924121306 20140825121306 13077 clarion-hotels.cz.
WlUUsb1EqhP5mUfJ5DXpxvVs7Tw4h5802WCwXy4B2NByTbj3SfurhbV7
HBxPFA/I5OR4VkbWsFr7LlOpb93xRmEXt98afdrzzrKIgMIoNHu4oHDe
ykeuV/7epjuHOxpZUKtfhe48ktKZ0NRievAyCUxiJA8evpgifR7AKKqS yGA=
clarion-hotels.cz. 2716 IN SOA ns.forpsi.net.
admin.forpsi.com. 2014082501 3600 1800 2592000 3600
clarion-hotels.cz. 2716 IN RRSIG SOA 5 2 3600 20140924121306
20140825121306 13077 clarion-hotels.cz.
F5DurWWNlg9zQrvFMQrdNNjH58Zv/TTVBQSOtslMYlwXWp3ZcJGCC1Ra
veDuerwFv5dQUsBQIJpQc5eZmyXXH8YA5rOLBK1x19ej0hl1T3yi3pG6
4SJFCrzSIIFVKzX7nKDtfnFK/Zq3X6db7oh9I+gpNnyojuDCccuQNwov kQw=
clarion-hotels.cz. 2716 IN NSEC *.clarion-hotels.cz. A NS SOA
MX RRSIG NSEC DNSKEY
clarion-hotels.cz. 2716 IN RRSIG NSEC 5 2 3600 20140924121306
20140825121306 13077 clarion-hotels.cz.
OOeXzp0449w2dXf6zdvnidH69d27+9kPH6fJP9CK+coXuMiZ7WwheIn8
qZrhqYPu9xrnpgmYYkOeuaWDq2b+7rxKzzJTw/0hAjjO8vKRMr2sPyNi
CpM2btBTM2FrKZvFJZegMYafo37QH05cg47hXAjEiyEYCMlJfNmMx+AN le8=
The problem is perhaps with the wildcard record in the authority
section, which seems to wildcard NS SOA and DNSKEY, making the
wildcard CNAMES look like singed sub-zones.
> Is there anything we can do?
You can disable "dane" for this domain.
tls-policy:
clarion-hotels.cz may
The wildcard in question is unwise, it should instead be a CNAME to
*.clarion-hotels.cz IN CNAME www.clarion-hotels.cz.
with "www.clarion-hotels.cz" having only A/AAAA records, and no
NS, DNSKEY, ... There may be other issues.
--
Viktor.
