On Sep 4, 2018, at 10:39 AM, Viktor Dukhovni ietf-dane@dukhovni.org wrote:
An alternative fix is to disable qname-minimization (which does run into interop issues in such cases):
server: qname-minimisation: no
Then you'll find that the TLSA records actually exist! And mail to this domain will be partly protected by DANE (barring forged MX records, which leave forensic evidence in your logs).
I should mention that at least four domains with the MX host in question are also DNSSEC-signed, so disabling DNSSEC would disable DANE for those four domains:
enterprise-email.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1 marcriemer.de. IN MX 10 login.enterprise-email.com. ; NoError AD=1 marcriemer.de. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1 weliano.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1 weliano.com. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1 flexiconf.com. IN MX 10 login.enterprise-email.com. ; NoError AD=1 flexiconf.com. IN MX 20 smtp-in20.enterprise-email.com. ; NoError AD=1 login.enterprise-email.com[95.128.200.159]: pass: TLSA match: depth = 0, name = login.enterprise-email.com cert sha256 [matched] <- 3 0 1 ebb423a21d60370e9f9df7e5fdef08518748142c4411749758e386c560f05eba smtp-in20.enterprise-email.com[46.235.201.57]: pass: TLSA match: depth = 0, name = smtp-in20.enterprise-email.com cert sha256 [matched] <- 3 0 1 3f82f164796edead461434a60f13bf21416e6fba5f15c9a08c6483b644f81009 smtp-in20.enterprise-email.com[2a00:1200:0:9::65b]: pass: TLSA match: depth = 0, name = smtp-in20.enterprise-email.com cert sha256 [matched] <- 3 0 1 3f82f164796edead461434a60f13bf21416e6fba5f15c9a08c6483b644f81009
So you can have either qname-minimization, or unimpeded delivery to this and similar domains. You might reach out the tech-support team at enterprise-email.com and ask them to fix their nameservers, the mishandling of empty non-terminals needs to be fixed.