September 2015 - dane-users

education.lu
by Wolfgang Breyha 08 Apr '16

08 Apr '16

Hi! I'm testing the new exim 4.85 DANE support and it took only some days to get in trouble... One of our users tried to send mail to the domain education.lu. Their domain and MX hosts are DNSSEC enabled and have TLSA RRs. The DANE validator https://dane.sys4.de/smtp/education.lu says: "Unusable TLSA Records". Most likely because it is type 1 not allowed for DANE-SMTP? I've set hosts_try_dane = * in my SMTP transport. Exim refuses to talk to those hosts at all with "failure while setting up TLS session". Is this expected behavior in terms of DANE-SMTP? What's postfix doing in this case? Greetings, Wolfgang -- Wolfgang Breyha <wbreyha(a)gmx.net> | http://www.blafasel.at/ Vienna University Computer Center | Austria

8 29

Subtle DNS problems to avoid...
by Viktor Dukhovni 27 Sep '15

27 Sep '15

Some of the domains I've tested exhibit sporadic TLSA record DNS lookup errors, with some of the domain's nameservers working fine, and others not so well. DANE mail to these sites gets through eventually, but perhaps with some delay. You can see some of the problems at the URLs below: http://dnsviz.net/d/_25._tcp.mx.edpescelsa.com.br/dnssec/ http://dnsviz.net/d/_25._tcp.smtp1.gencat.cat/dnssec/ http://dnsviz.net/d/_25._tcp.mail.edsi-tech.com/dnssec/ http://dnsviz.net/d/_25._tcp.mail.intersatafrica.com/dnssec/ http://dnsviz.net/d/_25._tcp.mailserver.planetvampire.com/dnssec/ http://dnsviz.net/d/_25._tcp.mailhost.bncr.fi.cr/dnssec/ http://dnsviz.net/d/_25._tcp.www.linuxdays.cz/dnssec/ http://dnsviz.net/d/_25._tcp.smtp.richland.edu/dnssec/ http://dnsviz.net/d/_25._tcp.mta0.core.aeschi.eu/dnssec/ http://dnsviz.net/d/_25._tcp.exceed-it.eu/dnssec/ http://dnsviz.net/d/_25._tcp.smtpedge2.uspto.gov/dnssec/ http://dnsviz.net/d/_25._tcp.mx2.dnet.net.id/dnssec/ http://dnsviz.net/d/_25._tcp.dmg2.dtic.mil/dnssec/ http://dnsviz.net/d/_25._tcp.mailproxy.cnic.navy.mil/dnssec/ http://dnsviz.net/d/_25._tcp.transport.hub210.net/dnssec/ http://dnsviz.net/d/_25._tcp.mx1.kurty.net/dnssec/ http://dnsviz.net/d/_25._tcp.mail.zwei.net/dnssec/ http://dnsviz.net/d/_25._tcp.mailfilter.webguru.nl/dnssec/ http://dnsviz.net/d/_25._tcp.rejo.zenger.nl/dnssec/ http://dnsviz.net/d/_25._tcp.smtpin1.stgraber.org/dnssec/ http://dnsviz.net/d/_25._tcp.charybda.torinthiel.pl/dnssec/ http://dnsviz.net/d/_25._tcp.brownsugar.se/dnssec/ http://dnsviz.net/d/_25._tcp.mailgw01.harnosand.se/dnssec/ http://dnsviz.net/d/_25._tcp.em01.jhwbg.se/dnssec/ http://dnsviz.net/d/_25._tcp.manc.se/dnssec/ http://dnsviz.net/d/_25._tcp.nllplus.se/dnssec/ http://dnsviz.net/d/_25._tcp.rafel.se/dnssec/ Problems include: * Warnings about glue NS records differing from authoritative NS records (some of the "extra" nameservers don't support DNSSEC, refuse service, ...). * Warnings about likely UDP fragmentation problems (no response unless EDNS0 payload is reduced). * Some nameservers reachable only via TCP * Some nameservers refusing service for the domain * Some nameservers not returning NSEC or NSEC3 records with denial of existence. * Some nameservers returning the wrong or partial NSEC3 records, failing to take into account intermediate domains between the zone apex and the qname. * Some nameservers returning nonsense NSEC records * Expired RRSIGs on a subset of the nameservers. * NODATA instead of NXDOMAIN for a subset of the nameservers. * NSEC records with no RRSIG for a subset of the nameservers. Bottom line, please check your DNS from time to time. Even if mail is getting through, and DANE tests report success, there may be some latent problems. And if anyone on this list owns the above domains, or knows the responsible parties, please correct your DNS or reach out to your contacts. -- Viktor.

1 0

Change in dane.sys4.de x509 cert ahead
by Patrick Ben Koetter 09 Sep '15

09 Sep '15

Benny Petersen noted today that dane.sys4.de is still using a SHA1 x509 cert for the website. We will need to revocate that certificate in order to get a new, SHA2 certificate. During that time and until the new certificate will be in place you may receive a warning when your browser connects to https://dane.sys4.de. If you use a browser plugin to DANE validate https://dane.sys4.de you will probably also receive a warning. This will go away once the new fingerprint has been distributed via DNS. Don't be alarmed while we replace the certificate. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein

2 3

Validating an SMTP server
by Hoggins! 08 Sep '15

08 Sep '15

Hey there ! I'm trying to validate my DANE records against my SMTP server, but I'm facing something that I cannot understand, because I believe I'm lacking some details about the validation failure : I'm trying to validate smtp.hoggins.fr. It gives me an error on the validator (https://dane.sys4.de/smtp/smtp.hoggins.fr), but I don't know what I need to change about that. Is there a way to be more verbose about the validation failure ? Maybe some client-side checking I can do manually ? Thanks. Hoggins!

6 27