dane.sys4.de: certificate not trusted: (27)
Dear DANE users,
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not trusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not trusted: (27)
It’d be great if you pointed me into the direction, how to get more details for these issues.
Kind regards,
Paul
[1]: https://dane.sys4.de/smtp/mx2.molgen.mpg.de [2]: https://dane.sys4.de/smtp/molgen.mpg.de
On Tue, Jul 11, 2023 at 01:35:39PM +0200, Paul Menzel wrote:
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
I should also also mention that you can now also look your domain's status at:
https://stats.dnssec-tools.org/explore/?molgen.mpg.de
which shows a more detailed (and so I think more clear) analysis, be it at the cost of not being real-time (a once a day snapshot). There you'll see that there are no DANE TLSA issues with your domain, just some deprecated DS and DNSKEY parameters.
It is time to move on from algorithm 7 to either 13 (preferred) or 8 (if you must). Increasingly, some resolvers (particularly on RedHat systems) no longer support DNSSEC algorithms that use RSA+SHA1 signatures, i.e. algorithms 5 and 7, and their use has already declined 93% from peak values:
https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
and now we're just waiting for the long-tail hangers-on.
On Tue, Jul 11, 2023 at 01:35:39PM +0200, Paul Menzel wrote:
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not trusted: (27)molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not trusted: (27)It’d be great if you pointed me into the direction, how to get more details for these issues.
There is no issue, it is just a perhaps misleading indication of what would happen if that particular TLSA record were the only one you published. Since one of the TLSA records matches, you're all set.
Paul Menzel skrev den 2023-07-11 13:35:
Dear DANE users,
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate nottrusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate nottrusted: (27)
It’d be great if you pointed me into the direction, how to get more details for these issues.
# posttls-finger dane.sys4.de
...
posttls-finger: dane.sys4.de[194.126.158.134]:25: Matched DANE EE certificate at depth 0: 3 1 1 EB74FE41C51D2876A50F0FE95BA6441119A38597A177E1BA54D68ACB9A91EFA3 posttls-finger: dane.sys4.de[194.126.158.134]:25: subject_CN=dane.sys4.de, issuer_CN=R3, fingerprint=CB:66:26:6C:22:32:98:BB:8B:DA:4C:D3:53:7C:BF:45:A8:DE:D6:C2:76:4C:2C:E2:60:C4:5D:33:77:B6:C3:81, pkey_fingerprint=EB:74:FE:41:C5:1D:28:76:A5:0F:0F:E9:5B:A6:44:11:19:A3:85:97:A1:77:E1:BA:54:D6:8A:CB:9A:91:EF:A3 posttls-finger: Verified TLS connection established to dane.sys4.de[194.126.158.134]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
...
seems ok ?
Dear Benny,
Am 11.07.23 um 18:48 schrieb Benny Pedersen:
Paul Menzel skrev den 2023-07-11 13:35:
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not trusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not trusted: (27)
It’d be great if you pointed me into the direction, how to get more details for these issues.
# posttls-finger dane.sys4.de ...
[…]
https://dane.sys4.de is the Web SMTP DANE validator.
Kind regards,
Paul
Dear Benny,
Am 11.07.23 um 18:48 schrieb Benny Pedersen:
Paul Menzel skrev den 2023-07-11 13:35:
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not trusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not trusted: (27)
It’d be great if you pointed me into the direction, how to get more details for these issues.
# posttls-finger dane.sys4.de ...
[…]
https://dane.sys4.de is the Web SMTP DANE validator.
Kind regards,
Paul
On Tue, Jul 11, 2023 at 07:01:07PM +0200, Paul Menzel wrote:
Am 11.07.23 um 18:48 schrieb Benny Pedersen:
Paul Menzel skrev den 2023-07-11 13:35:
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not trusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not trusted: (27)
It’d be great if you pointed me into the direction, how to get more details for these issues.
# posttls-finger dane.sys4.de ...
https://dane.sys4.de is the Web SMTP DANE validator.
Feel free to ignore distracting/irrelevant follow up comments.
The code behind https://dane.sys4.de is *a* SMTP DANE validator, but and though still useful, is no longer necessarily deserving of being called *the* SMTP DANE validator. It is not actively maintained, and is now a bit dated.
If you're willing to settle for data that is up to ~24 hours old, and your domain is covered by the DANE survey at
https://stats.dnssec-tools.org/
look there first. Then if you think you've fixed the reported issues, and want a real-time sanity check (don't want to wait for the next run), look at dane.sys4.de. Presently survey runs start shortly after 16:00 UTC and complete shortly after 20:00 UTC (each survey run performs ~100 million DNS queries, and makes around 20k SMTP connections.
Dear Viktor,
Thank you very much for your high-quality and very useful replies.
Am 11.07.23 um 19:45 schrieb Viktor Dukhovni:
On Tue, Jul 11, 2023 at 07:01:07PM +0200, Paul Menzel wrote:
Am 11.07.23 um 18:48 schrieb Benny Pedersen:
Paul Menzel skrev den 2023-07-11 13:35:
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not trusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not trusted: (27)
It’d be great if you pointed me into the direction, how to get more details for these issues.
# posttls-finger dane.sys4.de ...
https://dane.sys4.de is the Web SMTP DANE validator.
Feel free to ignore distracting/irrelevant follow up comments.
The code behind https://dane.sys4.de is *a* SMTP DANE validator, but and though still useful, is no longer necessarily deserving of being called *the* SMTP DANE validator. It is not actively maintained, and is now a bit dated.
I didn’t know that. Thank you for the clarification.
If you're willing to settle for data that is up to ~24 hours old, and your domain is covered by the DANE survey at
https://stats.dnssec-tools.org/look there first. Then if you think you've fixed the reported issues, and want a real-time sanity check (don't want to wait for the next run), look at dane.sys4.de. Presently survey runs start shortly after 16:00 UTC and complete shortly after 20:00 UTC (each survey run performs ~100 million DNS queries, and makes around 20k SMTP connections.
That looks very useful. I am going to use that first from now on.
Kind regards,
Paul
participants (4)
-
Benny Pedersen -
Paul Menzel -
Paul Menzel -
Viktor Dukhovni