[dane] Problem with hosting2go.nl nameservers and DANE TLSA
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 23 November 2014 22:03 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C961A1B1A for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 14:03:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hciQT5nG5AzC for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 14:02:58 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACD211A1B14 for <dane@ietf.org>; Sun, 23 Nov 2014 14:02:58 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 25C81282FCF; Sun, 23 Nov 2014 22:02:57 +0000 (UTC)
Date: Sun, 23 Nov 2014 22:02:57 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: postmaster@hosting2go.nl
Message-ID: <20141123220256.GK922@mournblade.imrryr.org>
References: <e78b811d7c054a1bb1ced93b38109be7@forpsi.com> <20140908123910.GU26920@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140908123910.GU26920@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/Nh1zeLtpmV9x32isBeSuYiR1-Ms
Cc: "Deccio, Casey" <cdeccio@verisign.com>, dane@ietf.org
Subject: [dane] Problem with hosting2go.nl nameservers and DANE TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2014 22:03:00 -0000
[ Cc: to the dane WG list, in the hope that some here might be able to assist, if they have direct contacts at the provider. Please don't Cc: any follow-up list discussion to the ISP contact address. ] Many hosting2go.nl domains emit incorrect denial of existence NSEC records for DANE TLSA queries. This will cause email delivery problems to your customers' domains if not resolved by fixing the nameserver software. My (surely incomplete) list of affected domains is below. For example, the nameservers for albertplatje.nl return NODATA instead of NXDMAIN for the query below: $ dig +cd +dnssec -t tlsa _25._tcp.albertplatje.nl. +nocl +nottl | pcregrep 'status:|^;; flags|\.\s+NSEC' ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20796 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 *.albertplatje.nl. NSEC _autodiscover._tcp.albertplatje.nl. A RRSIG NSEC The NSEC record proves the presence of "_tcp.albertplatje.nl", and the absence of both "_25._tcp.albertplatje.nl" and "*._tcp.albertplatje.nl" which lie between the NSEC pair endpoints. Therefore, this record should be an NXDOMAIN, not NOERROR (aka NODATA when the answer count is 0). In this case I believe we have a bug in dnsviz, which fails to note that NSEC the record proves the existence of the empty non-terminal "_tcp", and thus the relevant closest encloser is "_tcp" and so the wildcard RRset is out of scope, and hence the RCODE should be NXDOMAIN. http://dnsviz.net/d/_25._tcp.albertplatje.nl/dnssec/?rr=52&ds=all&a=all&doe=on&ta=. Queries for the TLSA records of all the MX hosts below similarly fail validation. What and when might be done to fully address this issue? Domain _25._tcp.mx-host. IN TLSA ? --------------------------------- --------------------------- albertplatje.nl. _25._tcp.albertplatje.nl. IN TLSA ? azie4y.nl. _25._tcp.azie4y.nl. IN TLSA ? delta-hardware.nl. _25._tcp.delta-hardware.nl. IN TLSA ? digistrip.nl. _25._tcp.digistrip.nl. IN TLSA ? edwords.nl. _25._tcp.edwords.nl. IN TLSA ? flashpatterns.nl. _25._tcp.flashpatterns.nl. IN TLSA ? informatieplatform.nl. _25._tcp.informatieplatform.nl. IN TLSA ? kenney.nl. _25._tcp.kenney.nl. IN TLSA ? locdepot.nl. _25._tcp.locdepot.nl. IN TLSA ? mc4e.nl. _25._tcp.mc4e.nl. IN TLSA ? mega-save.nl. _25._tcp.mega-save.nl. IN TLSA ? netspecialist.nl. _25._tcp.netspecialist.nl. IN TLSA ? parfumsector.nl. _25._tcp.parfumsector.nl. IN TLSA ? portraitsbyrhalda.nl. _25._tcp.portraitsbyrhalda.nl. IN TLSA ? premiumsecurity.nl. _25._tcp.premiumsecurity.nl. IN TLSA ? rijschoolnaz.nl. _25._tcp.rijschoolnaz.nl. IN TLSA ? schaakzone.nl. _25._tcp.schaakzone.nl. IN TLSA ? straxlive.nl. _25._tcp.straxlive.nl. IN TLSA ? we12travel.nl. _25._tcp.we12travel.nl. IN TLSA ? winkelsector.nl. _25._tcp.winkelsector.nl. IN TLSA ? -- Viktor.
- [dane] ***SPAM*** 5.6 (5) Problem with ns.forpsi.… Viktor Dukhovni
- [dane] Problem with transip.{eu, net, nl} nameser… Viktor Dukhovni
- [dane] Problem with hostnet.nl/hostnetbv.{com, nl… Viktor Dukhovni
- [dane] Problem with hosting2go.nl nameservers and… Viktor Dukhovni
- [dane] Problem with ns0.nl nameservers and DANE T… Viktor Dukhovni
- Re: [dane] Problem with transip.{eu, net, nl} nam… Peter Saint-Andre - &yet
- Re: [dane] Problem with transip.{eu, net, nl} nam… Viktor Dukhovni