[dns-operations] DNSSEC Validation Errors with Wildcards
Bernhard Schmidt
berni at birkenwald.de
Thu Oct 16 08:35:35 UTC 2014
Hi,
we have recently enabled outbound TLSA/DANE on our Postfix MTAs and have
come across a number of validation errors. These have the following in
common:
- The zone where the mailserver (right side of the MX record of the
target domain) resides in is signed
- there is a wildcard record on the zone level
- lookup of mailserver A/AAAA works fine and is authenticated
- lookup of _25._tcp.mailserver TLSA leads to SERVFAIL on our resolver
(BIND 9.9.5), Google DNS and both DNS-OARC resolvers
Examples:
_25._tcp.vdlc.nl
_25._tcp.mail.plexx.eu
_25._tcp.relay01.tt-mb.nl
_25._tcp.mail.cdv.cz
Sometimes DNSVIZ shows errors in the NSEC chaining (i.e. on the tt-mb.nl
zone), but for example the mail.cdv.cz one looks fine. Yet I cannot
validate the response.
Can anyone shed some light on this issue? Is there a signing error or a
validation error? If there is a signing error, is this a bug of some
commonly used software?
Thanks,
Bernhard
More information about the dns-operations
mailing list