[dane] ***SPAM*** 5.6 (5) Problem with ns.forpsi.{cz, it, net} nameservers and DANE TLSA

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 23 November 2014 19:40 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 376701A1A73 for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 11:40:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 5.6
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.6 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_102=0.6, J_CHICKENPOX_32=0.6, J_CHICKENPOX_42=0.6, J_CHICKENPOX_52=0.6, J_CHICKENPOX_62=0.6, J_CHICKENPOX_72=0.6, J_CHICKENPOX_82=0.6, J_CHICKENPOX_92=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV9y0wb0GQnF for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 11:40:28 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EDBC1A1A25 for <dane@ietf.org>; Sun, 23 Nov 2014 11:40:28 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0992A282FCF; Sun, 23 Nov 2014 19:40:27 +0000 (UTC)
Date: Sun, 23 Nov 2014 19:40:26 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: FORPSI - Tech <admin@forpsi.com>
Message-ID: <20141123194026.GH922@mournblade.imrryr.org>
References: <e78b811d7c054a1bb1ced93b38109be7@forpsi.com> <20140908123910.GU26920@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140908123910.GU26920@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/HhpqLq8CGPYU2wa-pGTFkm5RVPM
Cc: "Deccio, Casey" <cdeccio@verisign.com>, dane@ietf.org
Subject: [dane] ***SPAM*** 5.6 (5) Problem with ns.forpsi.{cz, it, net} nameservers and DANE TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2014 19:40:30 -0000

The problem is not surprisingly more widespread than the one domain
reported in ticket [0C6-1B9BB2EF-0123].  This will cause email
delivery problems to your customers' domains if not resolved by
fixing the nameserver software.  My new (and surely incomplete)
list of affected domains is below.

The newly updated (thanks Casey!) dnsviz.net site now gives a very
clear picture of the problem (just "mouse over" the NSEC3 record
box).  A wildcard at the domain level is incorrectly applied below
a sibling node.

    http://dnsviz.net/d/_25._tcp.mail.jursoft.cz/dnssec/?rr=52&ds=all&a=all&doe=on&ta=p;doe=on&ta=.

Queries for the TLSA records of all the MX hosts below similarly
fail validation.  What and when might be done to fully address this
issue?

Domain                             _25._tcp.mx-host. IN TLSA ?
---------------------------------  ---------------------------
3nicom.cz.                         _25._tcp.mail.3nicom.cz. IN TLSA ?
abcgames.cz.                       _25._tcp.mail.abcgames.cz. IN TLSA ?
adol.cz.                           _25._tcp.mail.adol.cz. IN TLSA ?
amd-autodily.cz.                   _25._tcp.mail.amd-autodily.cz. IN TLSA ?
arles.cz.                          _25._tcp.posta.arles.cz. IN TLSA ?
autobox.cz.                        _25._tcp.mail.autobox.cz. IN TLSA ?
bigbig.cz.                         _25._tcp.mail.bigbig.cz. IN TLSA ?
bonerix.cz.                        _25._tcp.smtp2.bonerix.cz. IN TLSA ?
cag.cz.                            _25._tcp.mail.cag.cz. IN TLSA ?
cenyzbozi.cz.                      _25._tcp.mail.cenyzbozi.cz. IN TLSA ?
challengept.cz.                    _25._tcp.mail.challengept.cz. IN TLSA ?
chilli-forum.cz.                   _25._tcp.mail.chilli-forum.cz. IN TLSA ?
convex.cz.                         _25._tcp.mail.convex.cz. IN TLSA ?
cz-ebay.cz.                        _25._tcp.mail.cz-ebay.cz. IN TLSA ?
dum-svitidel.cz.                   _25._tcp.mailserver.dum-svitidel.cz. IN TLSA ?
dzd.cz.                            _25._tcp.fw.dzd.cz. IN TLSA ?
efutsal.cz.                        _25._tcp.mail.efutsal.cz. IN TLSA ?
elitedate.cz.                      _25._tcp.mailserver.elitedate.cz. IN TLSA ?
equiservis.cz.                     _25._tcp.server.equiservis.cz. IN TLSA ?
gc-system.cz.                      _25._tcp.posta.gc-system.cz. IN TLSA ?
gigacomputer.cz.                   _25._tcp.mail.gigacomputer.cz. IN TLSA ?
happylabel.cz.                     _25._tcp.mail.happylabel.cz. IN TLSA ?
holmesplace.cz.                    _25._tcp.mail.holmesplace.cz. IN TLSA ?
hzprofin.cz.                       _25._tcp.mail.hzprofin.cz. IN TLSA ?
jursoft.cz.                        _25._tcp.mail.jursoft.cz. IN TLSA ?
kettler.cz.                        _25._tcp.firma.kettler.cz. IN TLSA ?
koberce-trend.cz.                  _25._tcp.mail.koberce-trend.cz. IN TLSA ?
koboz.cz.                          _25._tcp.mail01.koboz.cz. IN TLSA ?
nejlevnejsi-povleceni-zaclony.cz.  _25._tcp.mx.nejlevnejsi-povleceni-zaclony.cz. IN TLSA ?
neovize.cz.                        _25._tcp.mail.neovize.cz. IN TLSA ?
penta.cz.                          _25._tcp.mail.penta.cz. IN TLSA ?
poucek.cz.                         _25._tcp.mail.poucek.cz. IN TLSA ?
prag-aktuell.cz.                   _25._tcp.isp.prag-aktuell.cz. IN TLSA ?
quadrio.cz.                        _25._tcp.mail.quadrio.cz. IN TLSA ?
quanti.cz.                         _25._tcp.mail.quanti.cz. IN TLSA ?
rr-naradi.cz.                      _25._tcp.remote.rr-naradi.cz. IN TLSA ?
rybolov.cz.                        _25._tcp.mail.rybolov.cz. IN TLSA ?
sapho.cz.                          _25._tcp.server.sapho.cz. IN TLSA ?
stanicek.cz.                       _25._tcp.mail.do.stanicek.cz. IN TLSA ?
starelazne.cz.                     _25._tcp.mail.starelazne.cz. IN TLSA ?
svetbot.cz.                        _25._tcp.swenia.svetbot.cz. IN TLSA ?
svetoutdooru.cz.                   _25._tcp.mail.svetoutdooru.cz. IN TLSA ?
t-led.cz.                          _25._tcp.mail.t-led.cz. IN TLSA ?
technoline.cz.                     _25._tcp.mail.technoline.cz. IN TLSA ?
textrix.cz.                        _25._tcp.mail.textrix.cz. IN TLSA ?
velkebilovice.cz.                  _25._tcp.mail.velkebilovice.cz. IN TLSA ?
vlasy-in.cz.                       _25._tcp.mail.vlasy-in.cz. IN TLSA ?
xshare.cz.                         _25._tcp.mail.xshare.cz. IN TLSA ?

-- 
	Viktor.