[dns-operations] DNSSEC Validation Errors with Wildcards

Bernhard Schmidt berni at birkenwald.de
Thu Oct 16 08:35:35 UTC 2014


Hi,

we have recently enabled outbound TLSA/DANE on our Postfix MTAs and have
come across a number of validation errors. These have the following in
common:

- The zone where the mailserver (right side of the MX record of the
target domain) resides in is signed
- there is a wildcard record on the zone level
- lookup of mailserver A/AAAA works fine and is authenticated
- lookup of _25._tcp.mailserver TLSA leads to SERVFAIL on our resolver
(BIND 9.9.5), Google DNS and both DNS-OARC resolvers

Examples:

_25._tcp.vdlc.nl
_25._tcp.mail.plexx.eu
_25._tcp.relay01.tt-mb.nl
_25._tcp.mail.cdv.cz

Sometimes DNSVIZ shows errors in the NSEC chaining (i.e. on the tt-mb.nl
zone), but for example the mail.cdv.cz one looks fine. Yet I cannot
validate the response.

Can anyone shed some light on this issue? Is there a signing error or a
validation error? If there is a signing error, is this a bug of some
commonly used software?

Thanks,
Bernhard



More information about the dns-operations mailing list