AW: no TLSA records found?

Sun, 23 Jan 2022 13:44:59 -0800 

Hello Victor,
Thanks a lot! That´s the root cause. I added the CNAME to get LE to verify the 
certificate shared by the MX addresses - and I prefer CNAMEs to avoid double 
maintenance. I now exchanged CNAME with A and it worked (or failed because of 
misconfiguration of my mock server).
Probably should report the issue to Cloudflare because usually they do very 
good checking of illegal situations.
Thanks again, much appreciated.
Joachim

-----Ursprüngliche Nachricht-----
Von: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> Im 
Auftrag von Viktor Dukhovni
Gesendet: Sunday, 23 January 2022 22:35
An: postfix-users@postfix.org
Betreff: Re: no TLSA records found?

On Sun, Jan 23, 2022 at 10:13:17PM +0100, Joachim Lindenberg wrote:

> I am really wondering why it works for one domain and doesn´t for mine.

See: https://dnsviz.net/d/et.lindenberg.one/dnssec/

It appears that "et.lindenberg.one" is a CNAME for "io.lindenberg.one", and it 
is not valid to have both CNAME and MX records at the same name.
And the "io.lindenberg.one" name has no MX records.

Cloudflare are doing some dodgy magic for your domain, returnig CNAME responses 
in some cases and MX in others ("hsdig" is my own private DNS lookup CLI, but 
you'd get similar results with "dig"):

    $ hsdig -n 1.1.1.1 -t mx et.lindenberg.one
    et.lindenberg.one. IN MX 0 mx06.et.lindenberg.one. ; NoError AD=1
    et.lindenberg.one. IN MX 1 mx04.et.lindenberg.one. ; NoError AD=1
    et.lindenberg.one. IN MX 2 mx03.et.lindenberg.one. ; NoError AD=1
    et.lindenberg.one. IN MX 3 mx05.et.lindenberg.one. ; NoError AD=1

    $ hsdig -n 1.1.1.1 -t a et.lindenberg.one
    et.lindenberg.one. IN CNAME io.lindenberg.one. ; NoError AD=1
    io.lindenberg.one. IN A 82.165.56.12 ; NoError AD=1

Once a resolver has cached the CNAME record, it won't look for MX at that name, 
and will instead query the CNAME target.

    $ hsdig -n 8.8.4.4 -t a et.lindenberg.one
    et.lindenberg.one. IN CNAME io.lindenberg.one. ; NoError AD=1
    io.lindenberg.one. IN A 82.165.56.12 ; NoError AD=1

    $ hsdig -n 8.8.4.4 -t mx et.lindenberg.one
    et.lindenberg.one. IN CNAME io.lindenberg.one. ; NoError AD=1
    lindenberg.one. IN SOA adi.ns.cloudflare.com. d...@cloudflare.com. 
2268458758 10000 2400 604800 3600 ; AD=1

This sort of DNS "magic" (breakage) may be fine for some CDN web sites, but 
works poorly if you want to publish anything other than A/AAAA records.

Get rid of the dodgy CNAME + MX hackery, and you should be fine.

-- 
    Viktor.

Reply via email to