I have been using dane for awhile now, and thought I would push it out
to a few more systems, since I have not run into any problems over the
last year with my current one.
Due to this, I found more .mil dns issues causing this to not
function. The .gov has had broken dnssec for years now, and .mil has
had flaky dns servers and mtu issues, but now it seems that the .mil
dns servers just drop all packets requesting tlsa lookups.
When doing tests with dig, it ends when attempting to contact any of
the dns lookups, but only when attempting tlsa. Postfix was attempting
to deliver to @mail.mil accounts.
dsn=4.7.5, status=deferred (delivery temporarily suspended: TLSA
lookup error for pri-jeemsg.eemsg.mail.mil:25)
Is there something I can do to disable dane lookups for all .mil? or
do I have to specify each subdomain.
- TLSA and .mil dns servers Patrick Domack
-
