On Tue, Oct 17, 2017 at 01:56:39PM +1030, Mal wrote:
> This MTA is a dual stack postfix machine, which also has a dual stack
> resolver running.
Not clear how this is relevant...
> When testing DANE to a remove IPv4 only MTA, I see an attempt to lookup
> a non-existent AAAA record by posttls-finger.
The only way to find out they don't exist is to ask.
> The remote site has only
> IPv4 records in the zone, except for the zone NS records, which come
> from dual stack revolvers (which are auth).
Still not clear how this is relevant.
> me@mta:/#posttls-finger -v -c -l dane -P/etc/ssl/certs domain1.com.au
> [ ... unnecessary verbose output elided ... ]
> posttls-finger: no TLSA records found, resorting to "secure"
No TLSA records were found, perhaps because the "A" records were
reported insecure, or because the TLSA records don't exist.
> The (slave) resolver on this box contains the AD records for the remote
> domain. I don't seem to have DANE issues with any other remote DANE
> enabled domains.
There's no such thing as "AD records". And the help you can get
will be rather limited if you must obfuscate the actual target
domain. Post the (unobfuscated) output of:
$ domain=domain1.com.au # actual domain here
$ dig +noall +comment +ans +auth +nocl +nottl -t mx "$domain."
$ for mx in $(dig +short -t mx $domain | sort -n | awk '{print $2}')
do
dig +noall +comment +ans +auth +nocl +nottl -t a "$mx"
dig +noall +comment +ans +auth +nocl +nottl -t aaaa "$mx"
dig +noall +comment +ans +auth +nocl +nottl -t tlsa "_25._tcp.$mx"
done
> As a test, when I issue the same query on the actual remote MTA, he
> receives the TLSA record successfully and is able to Verify the TLS.
Probably the resolver there behaves differently. Post the
(unobfuscated) output of the above commands when executed there.
> Any thoughts as to why posttls-finger / postfix are seeking a
> non-existent AAAA record ?
Wrong question.
--
Viktor.
