On Mon, Nov 09, 2015 at 09:08:35AM -0500, Patrick Domack wrote:
> Due to this, I found more .mil dns issues causing this to not function. The
> .gov has had broken dnssec for years now, and .mil has had flaky dns servers
> and mtu issues, but now it seems that the .mil dns servers just drop all
> packets requesting tlsa lookups.
I've had some luck getting .gov domains to fix the issue, for
example, loc.gov (and around 15 associated domains) and fbi.gov
used to not work, but now do.
Yes, indeed the .mil MX host nameservers are configured with
misguided "security" settings to drop queries for "unexpected"
RRtypes.
https://tools.ietf.org/html/draft-andrews-dns-no-response-issue-13#section-1
https://tools.ietf.org/html/draft-andrews-dns-no-response-issue-13#section-2.6
I've reported the problem to .gov registrar for forwarding to the
.mil folks, but I'm not expecting any immediate miracles. This
will likely take some time.
The list of domains I've found that share the broken
pri-jeemsg.eemsg.mail.mil
sec-jeemsg.eemsg.mail.mil
MX hosts includes:
fai.gov
afnoc.af.mil
centcom.mil
dau.mil
dcaa.mil
dcma.mil
dfas.mil
dla.mil
dma.mil
doded.mil
dodig.mil
dsca.mil
dss.mil
dtra.mil
jsf.mil
jten.mil
mail.mil
militaryonesource.mil
navy.mil
nga.mil
osd.mil
pacom.mil
pentagon.mil
pfpa.mil
soc.mil
stratcom.mil
uscg.mil
usmc.mil
whs.mil
> dsn=4.7.5, status=deferred (delivery temporarily suspended: TLSA lookup
> error for pri-jeemsg.eemsg.mail.mil:25)
As expected, given their borked DNS.
> Is there something I can do to disable dane lookups for all .mil? or do I
> have to specify each subdomain.
If you're using "unbound" as your validating resolver, you can for
now set:
server:
domain-insecure: "eemsg.mail.mil."
This should cause unbound to pretend that "eemsg.mail.mil" is
unsigned, and with that Postfix won't look for any TLSA records
for the MX hosts in question. (I've not tried this, so you might
need to make the setting in a parent of this domain, perhaps
"mail.mil" or even "mil." if it does not work as-is).
Not sure what the equivalent BIND setting is, but this should not
be difficult to find.
If by some miracle the .mil folks actually fix this in the near
future, I'll post something to the dane-us...@sys4.de list, and
perhaps here too.
--
Viktor.
