On Thu, Oct 06, 2022 at 12:19:48PM -0400, PGNet Dev wrote:
> I see lots of these,
>
> 2022-10-05T17:30:13.277421-04:00 mx03 postfix/smtp-out-ext/smtp[8484]:
> warning: DANE TLSA lookup problem:
> Host or domain name not found.
> Name service error for name=_25._tcp.christopher-ew.state.gov
> type=TLSA:
> Host not found, try again
>
> I personally don't recall every seeing one of these DANE TLSA errors
It is possible that your resolver has fallen victim to the RHEL/Fedora
"crypto policy" changes that by default disable (i.e. make fail)
RSAwithSHA1 signature validation.
https://lwn.net/Articles/887832/
https://bugzilla.redhat.com/show_bug.cgi?id=2073066
> Checking with my local resolver (unbound),
>
> dig +ad +noall +comment +ans +auth -t tlsa
> _25._tcp.christopher-ew.state.gov
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 491
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
All the resolvers I've tried work. There's likely some FAQ or other
documentation from RedHat about what you need to do to be able to
continue to resolve DNSSEC zones signed with the deprecated, but still
in use at some domains, algorithms 5 and 7 (RSA SHA1).
https://stats.dnssec-tools.org/explore/?state.gov
There may a more recent version of unbound that detects the lack of
support and considers algorithms 5 and 7 as unsupported, and
corresponding zones as "insecure" rather than "bogus".
At https://stats.dnssec-tools.org you'll see that there ~155k zones
that use algorithms 5 or 7, out of ~19.6 million zones total.
--
Viktor.
