Re: [dane] DNSSEC debug advice (TLSA lookup problem).
Mark Andrews <marka@isc.org> Fri, 05 September 2014 21:39 UTC
Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 669011A02E7 for <dane@ietfa.amsl.com>; Fri, 5 Sep 2014 14:39:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.569
X-Spam-Level:
X-Spam-Status: No, score=-7.569 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0pZpyfYaEbW for <dane@ietfa.amsl.com>; Fri, 5 Sep 2014 14:39:39 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83DBD1A0144 for <dane@ietf.org>; Fri, 5 Sep 2014 14:39:39 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id 140E23493DE for <dane@ietf.org>; Fri, 5 Sep 2014 21:39:37 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 09DCF160047 for <dane@ietf.org>; Fri, 5 Sep 2014 21:42:20 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 967A6160003 for <dane@ietf.org>; Fri, 5 Sep 2014 21:42:19 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id E12C61E806B5 for <dane@ietf.org>; Sat, 6 Sep 2014 07:39:34 +1000 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20140904202137.GD26920@mournblade.imrryr.org> <20140904210017.09E4D1E6A231@rock.dv.isc.org> <20140904213730.GE26920@mournblade.imrryr.org> <20140904230533.ED33E1E6D2FC@rock.dv.isc.org> <20140905151149.GO26920@mournblade.imrryr.org>
In-reply-to: Your message of "Fri, 05 Sep 2014 15:11:49 +0000." <20140905151149.GO26920@mournblade.imrryr.org>
Date: Sat, 06 Sep 2014 07:39:34 +1000
Message-Id: <20140905213934.E12C61E806B5@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/6-9nVHQ5zzbiiyTgOUCrBR7EBTk
Subject: Re: [dane] DNSSEC debug advice (TLSA lookup problem).
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 21:39:41 -0000
In message <20140905151149.GO26920@mournblade.imrryr.org>, Viktor Dukhovni writes: > On Fri, Sep 05, 2014 at 09:05:33AM +1000, Mark Andrews wrote: > > > > Yes, in fact between posting and reading your answer, I went off > > > and did some reading. The problem as I now understand it seems to > > > be that: > > > > > > 1. *.clarion-hotels.cz IN CNAME exists. > > > 2. mail2.clarion-hotels.cz exists. > > > 3. _tcp.mail2.clarion-hotels.cz does not exist. > > > > > > and finally, the nameservers for clarion-hotels.cz incorrectly > > > apply the wildcard CNAME to a child of an existing sibling node > > > (mail2). This is detected as an error by various validating > > > resolvers. > > > > > > Is this right? > > > > Yes. > > Thanks. I wrote to the operators of the DNS servers, and they are > planning to fix the bug, but implemented a short-term work-around, > where the wildcard CNAME was replaced by wildcard A record. However > the work-around is not working to the satisfaction of my resolver, > any idea why? The problem is the wildcard and the broken wildcard processing, not the CNAME. The rcode is wrong as a result, NOERROR != NXDOMAIN. Getting rid of the wild card and adding explict address records for every name the http server is configured fore plus anything else depending on the wildcard will work. Alternatively adding a non TLSA records at the expected TLSA names should work as it should prevent the attempted wilcard lookup in the server and the resulting mis-match. _tlsa._tcp.mail.clarion-hotels.cz TXT "-" _tlsa._tcp.mail2.clarion-hotels.cz TXT "-" Alternatively they could configure the MTAs to support STARTTLS and add TLSA records. Mark > $ dig +dnssec +norecur -t tlsa _25._tcp.mail2.clarion-hotels.cz @ns.forpsi.net > ; <<>> DiG 9.8.3-P1 <<>> +dnssec +norecur -t tlsa _25._tcp.mail2.clarion-hotels.cz @ns.forpsi.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31810 > ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;_25._tcp.mail2.clarion-hotels.cz. IN TLSA > > ;; AUTHORITY SECTION: > clarion-hotels.cz. 3600 IN SOA ns.forpsi.net. admin.forpsi.com. 2014090502 3600 1800 2592000 3600 > clarion-hotels.cz. 3600 IN RRSIG SOA 5 2 3600 20141005113302 20140905113302 13077 clarion-hotels.cz. > Y4JCzy6U/fMI2tz+pLfQ1mFD2h1jxRMJ7nUwXS0cxlE9xcN8QFibwC75 BBivVbf3Xb2oPXJTRTvkkUAXR1wziOCy/qvK4LyNFX2ENn2aKGn3i93H LrHM > /5u1IoeG4niXbS22Tue3FEgYKcSX7UA5PDDQAQs2o+jX9IbwYawC teM= > *.clarion-hotels.cz. 3600 IN NSEC mail.clarion-hotels.cz. A RRSIG NSEC > *.clarion-hotels.cz. 3600 IN RRSIG NSEC 5 2 3600 20141005113302 20140905113302 13077 clarion-hotels.cz > . lSf+ySQxo+sXxtuEZEIy7YghFeQnFlDd7vkZA8XO/ahgAzgxHZkAsQXk RjoJVCLd3E3FgX55Pu0RA6IQVn1ynZFYp3l1P24bC93+l3vszNsnMKnD qqj > NIIzeYanNfkI34kdPpj5C1HhtrC1ZUhRwryphsKXX9KYFB/B4i+47 U2E= > mail2.clarion-hotels.cz. 3600 IN NSEC clarion-hotels.cz. A RRSIG NSEC > mail2.clarion-hotels.cz. 3600 IN RRSIG NSEC 5 3 3600 20141005113302 20140905113302 13077 clarion-hotels.cz > . lX8m4n9dL8/055WYsv5LW/D9L7257lzOv9QAynpBlJiShQkYRFsAc9rT ZFdrCeahWXg01/jGVrUNoxwJUUxUobt8GFcTiXHvI/w5ej6rsc80tUVT BCn > W9WsJBNiz7hDN8Ac3V8gKE77Td2TZxJpPtRdAOTW4mc6E04XsLIL7 XmQ= > > ;; Query time: 130 msec > ;; SERVER: 81.2.194.130#53(81.2.194.130) > ;; WHEN: Fri Sep 5 11:04:38 2014 > ;; MSG SIZE rcvd: 742 > > This time there is no erroneous wildcard CNAME response, just > ANSWER:0, and some NSEC records in the authority section. In > particular there is an NSEC record that should prove absense of > anything after "mail2", thus denying "_tcp.mail2"... > > What's wrong now? Oddly enough when I ask for "mail3.<etc> IN TLSA > ?" the resolver is happy with a "NODATA" response, containing > exactly the same records. So these records constitute proof that > "mail3" does not exist, but somehow fail to prove that "_tcp.mail2" > does not? > > -- > Viktor. > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dane] DNSSEC debug advice (TLSA lookup problem). Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Rene Bartsch
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni