[dns-operations] DNSSEC Validation Errors with Wildcards

Mark Andrews marka at isc.org
Thu Oct 16 10:50:11 UTC 2014 

The correct answer is NXDOMAIN based on the NSEC record which says
there is no records between _tcp.vdlc.nl and _autodiscover._tcp.vdlc.nl.
i.e. there is no wildcard record at *._tcp.vdlc.nl.

The problem is a wildcard processing server error.  It is generating
the wrong response code.  It is failing to account for the existence
of _tcp.vdlc.nl.

; <<>> DiG 9.11.0pre-alpha <<>> +cd +dnssec tlsa _25._tcp.vdlc.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31073
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.vdlc.nl.		IN	TLSA

;; AUTHORITY SECTION:
*.vdlc.nl.		866	IN	RRSIG	NSEC 8 2 900 20141030000000 20141009000000 33075 vdlc.nl. 6bxF19YZNEA+HNGbA3RfbM1n8nsNwAthx7P4HQ2TEGSG/0hUTRCG+/ij feYNfhePWVgYVxaxlfablhkNXZhmcnUt+X/BAlh3LVdcY6HAjEgnXBqa lqTSiAzkbkJczsy/vw2f0e//RseFTPJ6G0Y/KTnDP9Sn9Fya4OzjhgkY fTk=
*.vdlc.nl.		866	IN	NSEC	_autodiscover._tcp.vdlc.nl. A RRSIG NSEC
vdlc.nl.		866	IN	SOA	ns1.hosting2go.nl. postmaster.vdlc.nl. 1378119762 10800 3600 604800 900
vdlc.nl.		866	IN	RRSIG	SOA 8 2 86400 20141030000000 20141009000000 33075 vdlc.nl. 1V5n1+mW6onYYsPyE9VMrziFoxXVmdp1Me2TaO2mJ8do3XDtesc6FJ3L cCXNgulV7p2hHZb8BPrt0xnnDlkyqK1qgRPBVzvLLrL22trRn9SOlzjz Zgm/OWgsciQNrliQAeacaZzXxGRyMbsa/H7HGAgEzm8LcqdqHfWPuhr0 CL4=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 16 21:42:19 EST 2014
;; MSG SIZE  rcvd: 491

Mark

In message <543F8357.6020303 at birkenwald.de>, Bernhard Schmidt writes:
> Hi,
> 
> we have recently enabled outbound TLSA/DANE on our Postfix MTAs and have
> come across a number of validation errors. These have the following in
> common:
> 
> - The zone where the mailserver (right side of the MX record of the
> target domain) resides in is signed
> - there is a wildcard record on the zone level
> - lookup of mailserver A/AAAA works fine and is authenticated
> - lookup of _25._tcp.mailserver TLSA leads to SERVFAIL on our resolver
> (BIND 9.9.5), Google DNS and both DNS-OARC resolvers
> 
> Examples:
> 
> _25._tcp.vdlc.nl
> _25._tcp.mail.plexx.eu
> _25._tcp.relay01.tt-mb.nl
> _25._tcp.mail.cdv.cz
> 
> Sometimes DNSVIZ shows errors in the NSEC chaining (i.e. on the tt-mb.nl
> zone), but for example the mail.cdv.cz one looks fine. Yet I cannot
> validate the response.
> 
> Can anyone shed some light on this issue? Is there a signing error or a
> validation error? If there is a signing error, is this a bug of some
> commonly used software?
> 
> Thanks,
> Bernhard
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list