Viktor,

Thanks for finding this.

The problem appears to with getdns...  it's returning that CNAME lookups are bogus when in fact they are not.

I have filed a ticket request with the getdns team.

https://github.com/getdnsapi/getdns-python-bindings/issues/33

Until this is resolved, people should not use my validator, as the results are untrustworthy with regards to CNAME records.

Simson



On Sep 7, 2015, at 4:46 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:

On Mon, Sep 07, 2015 at 08:10:38PM +0000, Viktor Dukhovni wrote:

And yet the validator claims the TLSA RRset is "bogus",
reports failure:

   http://ec2.simson.net/dane_check.cgi?host=openssl.org

BOGUS DNS CNAME lookup _25._tcp.mta.openssl.org. = wildcard._dane.openssl.org.

Something's not quite right here...

The issue seems to be systemic:

   http://ec2.simson.net/dane_check.cgi?host=nlnetlabs.nl

BOGUS DNS CNAME lookup _25._tcp.nlnetlabs.nl = 3.1.1._dane-both.nlnetlabs.nl.

   http://ec2.simson.net/dane_check.cgi?host=spodhuis.org

BOGUS DNS CNAME lookup _25._tcp.mx.spodhuis.org. = _globnix-tlsa.spodhuis.org.

   http://ec2.simson.net/dane_check.cgi?host=wizmail.org

BOGUS DNS CNAME lookup _25._tcp.wizmail.org. = _cert301.wizmail.org.

All three are in fact fine.  So the handling of TLSA CNAMEs seems
to be broken.

--
Viktor.