[dns-operations] Anyone with contacts at Paypal and/or Ultradns?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Dec 11 08:25:17 UTC 2019

On Wed, Dec 11, 2019 at 07:45:24AM +0100, Tom Ivar Helbekkmo wrote:

> Mail from Paypal to me is failing, hard, because I run a resolver with
> DNSSEC verification and qname minimization, and an MTA that implements

A word of unsolicated advice (you're more than free to ignore) from someone (me)
deeply enmeshed in email security and DNSSEC:

    * Don't use qname minimization with validating MTA-facing resolvers.
    * Instead run a *local* resolver.  The cache on that resolver will
      do all the qname minimization you can get.

The use of qname minimization substantially increases the odds of running into
problems with sites whose nameservers implement "DNSSEC-lite", and mishandle
ENTs, denial of existence, ...

Qname-minimization may be fine if all you want is A/AAAA records, but MTAs use
DNS for much more.

Since for most domains you'll first be querying for the MX records near the
zone apex, the local resolver will have already cached the relevant auth
server, and queries for sub-domains will not look out to roots and TLDs, though
but the MX lookup unavoidable does, with or without qname minimization.

To further reduce leakage, you can also configure a local root somewhere on
your network, but a busy MTA will rarely need to ask the root for referrals
to TLDs.

> Out of the four name servers they've got configured, the two at
> Ultradns are mishandling empty non-terminals.

Sad, but not sufficiently uncommon. :-( The solution is largely above...


More information about the dns-operations mailing list