Re: TLSA and .mil dns servers

Mon, 09 Nov 2015 08:11:12 -0800 

domain-insecure: "mail.mil."
The above seems to be functioning, I'll do larger tests tonight. Also see if I hit any other systems like this, as I start testing against more and more servers. 


The domain-insecure: "eemsg.mail.mil.", kept failing randoming, I  
believe this was due again to the ns servers at the mail.mil level.



Quoting Viktor Dukhovni <postfix-us...@dukhovni.org>:


On Mon, Nov 09, 2015 at 09:08:35AM -0500, Patrick Domack wrote:


Due to this, I found more .mil dns issues causing this to not function. The
.gov has had broken dnssec for years now, and .mil has had flaky dns servers
and mtu issues, but now it seems that the .mil dns servers just drop all
packets requesting tlsa lookups.


I've had some luck getting .gov domains to fix the issue, for
example, loc.gov (and around 15 associated domains) and fbi.gov
used to not work, but now do.

Yes, indeed the .mil MX host nameservers are configured with
misguided "security" settings to drop queries for "unexpected"
RRtypes.


     
https://tools.ietf.org/html/draft-andrews-dns-no-response-issue-13#section-1
     
https://tools.ietf.org/html/draft-andrews-dns-no-response-issue-13#section-2.6


I've reported the problem to .gov registrar for forwarding to the
.mil folks, but I'm not expecting any immediate miracles.  This
will likely take some time.

The list of domains I've found that share the broken

    pri-jeemsg.eemsg.mail.mil
    sec-jeemsg.eemsg.mail.mil

MX hosts includes:

    fai.gov
    afnoc.af.mil
    centcom.mil
    dau.mil
    dcaa.mil
    dcma.mil
    dfas.mil
    dla.mil
    dma.mil
    doded.mil
    dodig.mil
    dsca.mil
    dss.mil
    dtra.mil
    jsf.mil
    jten.mil
    mail.mil
    militaryonesource.mil
    navy.mil
    nga.mil
    osd.mil
    pacom.mil
    pentagon.mil
    pfpa.mil
    soc.mil
    stratcom.mil
    uscg.mil
    usmc.mil
    whs.mil


dsn=4.7.5, status=deferred (delivery temporarily suspended: TLSA lookup
error for pri-jeemsg.eemsg.mail.mil:25)


As expected, given their borked DNS.


Is there something I can do to disable dane lookups for all .mil? or do I
have to specify each subdomain.


If you're using "unbound" as your validating resolver, you can for
now set:

    server:
            domain-insecure: "eemsg.mail.mil."

This should cause unbound to pretend that "eemsg.mail.mil" is
unsigned, and with that Postfix won't look for any TLSA records
for the MX hosts in question.  (I've not tried this, so you might
need to make the setting in a parent of this domain, perhaps
"mail.mil" or even "mil." if it does not work as-is).

Not sure what the equivalent BIND setting is, but this should not
be difficult to find.

If by some miracle the .mil folks actually fix this in the near
future, I'll post something to the dane-us...@sys4.de list, and
perhaps here too.

--
        Viktor.


























					Reply via email to