On Wed, Sep 03, 2014 at 02:40:09PM +0000, Viktor Dukhovni wrote:
> $ dig +cd +dnssec +noall +comment +ans +auth -t tlsa
> fail.mail2.clarion-hotels.cz
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63426
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; ANSWER SECTION:
> fail.mail2.clarion-hotels.cz. 1430 IN CNAME clarion-hotels.cz.
This is wrong because mail2.clarion-hotels.cz exists and thus none
of its descendents are in scope for the sibling "*.clarion-hotels.cz"
wildcard.
> fail.mail2.clarion-hotels.cz. 1430 IN RRSIG CNAME 5 2 1800
> 20140924121306 20140825121306 13077 clarion-hotels.cz.
> M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb
> C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow
> eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
This RRSIG has a label count of 2, which, since the query name has
more labels, means that the signed name is "*.clarion-hotels.cz".
The signature is fine, but in order for the response to be valid
it must be accompanied by a signed non-existence proof for
"mail2.clarion-hotels.cz" (which we know exists).
> ;; AUTHORITY SECTION:
> mail2.clarion-hotels.cz. 2759 IN NSEC clarion-hotels.cz. A
> RRSIG NSEC
Unsuprisingly, that's not what the NSEC record proves, it only
proves absence of descendants of "mail2" while disproving the
non-existence of "mail2", so the CNAME RR is busted.
> You can disable "dane" for this domain.
>
> tls-policy:
> clarion-hotels.cz may
I'd like to find out what DNS server software is in place for this
domain. Anyone in contact with their postmaster or DNS administrator?
clarion-hotels.cz. 3600 IN NS ns.forpsi.net.
clarion-hotels.cz. 3600 IN NS ns.forpsi.it.
clarion-hotels.cz. 3600 IN NS ns.forpsi.cz.
--
Viktor.
