[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Apr 17 21:16:23 UTC 2018

> On Apr 17, 2018, at 3:51 PM, John Levine <johnl at taugh.com> wrote:
>> *.frasier.family. IN CNAME \@
>> breaks email delivery to that domain from DANE-enabled Postfix or Exim.
> Except that it has no MX and the A record host doesn't respond on port
> 25.  It's just broken.  Nothing to see here, move along.

Yes, but just because this particular domain does not accept email at present does not mean that other domains are unaffected, or that this domain won't want email some day...

For example (CNAME loop due to missing trailing "." in wildcard CNAME RHS):

    bdsoft.cz. IN MX ? ; NODATA AD=1
    bdsoft.cz. IN A ; NoError AD=1
    bdsoft.cz. IN AAAA ? ; NODATA AD=1
    _25._tcp.bdsoft.cz. IN TLSA ? ; ServFail AD=0

    [ Disabling DANE we get to the SMTP server ]
    $ posttls-finger -l may bdsoft.cz
    posttls-finger: Connected to bdsoft.cz[]:25
    posttls-finger: < 220 hosting.netclick.cz ESMTP ispCP 1.0.7 OMEGA Managed

    [ With DANE enabled the connection is deferred ]
    $ posttls-finger bdsoft.cz 
    posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.bdsoft.cz type=TLSA: Host not found, try again
    posttls-finger: Failed to establish session to bdsoft.cz via bdsoft.cz: TLSA lookup error for bdsoft.cz:25

The loop details:

  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44132
  ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1
  ;_25._tcp.bdsoft.cz.    IN TLSA
  _25._tcp.bdsoft.cz.     CNAME   digioartner.cz.bdsoft.cz.
  digioartner.cz.bdsoft.cz. CNAME digioartner.cz.bdsoft.cz.
  ffd2173pnd70h5uiakiosmg6oa10r1oo.bdsoft.cz. NSEC3 1 0 10 2FA0A99149093CEB R5849DBVV27BIIOJJSGV80HM8O1KR97T  CNAME RRSIG
  8qip588uhjura0kg8h14c4odft4bnq24.bdsoft.cz. NSEC3 1 0 10 2FA0A99149093CEB FFD2173PND70H5UIAKIOSMG6OA10R1OO  A NS SOA RRSIG DNSKEY NSEC3PARAM

Relevant hashes:

  nc9ptiurov64jv5fsdo5ju9347ujdmpn. _tcp.bdsoft.cz (covered)
  ffd2173pnd70h5uiakiosmg6oa10r1oo. *.bdsoft.cz 
  8qip588uhjura0kg8h14c4odft4bnq24. bdsoft.cz

There are of course others...


More information about the dns-operations mailing list