[dns-operations] DNSSEC Validation Errors with Wildcards

Casey Deccio casey at deccio.net
Thu Oct 16 19:24:26 UTC 2014


On Thu, Oct 16, 2014 at 4:35 AM, Bernhard Schmidt <berni at birkenwald.de>
wrote:

> we have recently enabled outbound TLSA/DANE on our Postfix MTAs and have
> come across a number of validation errors. These have the following in
> common:
>
> - The zone where the mailserver (right side of the MX record of the
> target domain) resides in is signed
> - there is a wildcard record on the zone level
> - lookup of mailserver A/AAAA works fine and is authenticated
> - lookup of _25._tcp.mailserver TLSA leads to SERVFAIL on our resolver
> (BIND 9.9.5), Google DNS and both DNS-OARC resolvers
>
> Examples:
>
> _25._tcp.vdlc.nl
> _25._tcp.mail.plexx.eu
> _25._tcp.relay01.tt-mb.nl
> _25._tcp.mail.cdv.cz
>
> Sometimes DNSVIZ shows errors in the NSEC chaining (i.e. on the tt-mb.nl
> zone), but for example the mail.cdv.cz one looks fine. Yet I cannot
> validate the response.
>

DNSViz was incorrectly showing the NSEC covering as valid for some of the
above wildcards.  It was checking that expanded wildcard name did not
exist, but was not checking that the wildcard expansion was valid.  It has
been corrected, e.g.,:

http://dnsviz.net/d/_25._tcp.vdlc.nl/VEAZDw/dnssec/
http://dnsviz.net/d/_25._tcp.mail.cdv.cz/VEAZdw/dnssec/

Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141016/92547a16/attachment.html>


More information about the dns-operations mailing list