<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Nevel,</p>
<p>Because the servers for havedane.net reply with NXDOMAIN for the
name _tcp.wrong.havedane.net. This is one step above the 25...
name, and it is what qname minimisation attempts to do. They give
dnssec proof too of the nonexistance of the 25... name.</p>
<p>So, this means the servers are not protocol correct. And they
respond with both the (dnssec signed) presence and the (dnssec
signed) absence of the TLSA records. Depends on what you look at
first on what the answer is going to be. The NXDOMAIN for the
_tcp name is wrong, and should be an empty nonterminal answer.
Likely a flaw in the software on the server. And also for the
signer I guess, otherwise it would not be validly dnssec signed,
but actually it is dnssec insecure, it seems that the nsec3 for
havedane has optout set. This is also against the spec, there
should not really be authoritative data under an optout span.</p>
<p>If you turn off qname minimisation unbound first asks for the
TLSA and it seems it works. But really it doesn't, and does not
fail immediately. Maybe also for other servers, eg. once you
asked for the _tcp name they may no longer return the TLSAs (or
until those time out and the cache software looks in cache first
and finds the valid NXDOMAIN first).<br>
</p>
<p>Best regards, Wouter<br>
</p>
<p>dig @2a05:1500:501:1:1c00:6cff:fe00:12d _tcp.wrong.havedane.net.
+dnssec<br>
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:
17746<br>
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL:
1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 1680<br>
;; QUESTION SECTION:<br>
;_tcp.wrong.havedane.net. IN A<br>
<br>
;; AUTHORITY SECTION:<br>
havedane.net. 300 IN SOA ns091.auroradns.eu.
admin.auroradns.eu. 2019011601 86400 7200 604800 300<br>
havedane.net. 300 IN RRSIG SOA 8 2 4800
20190620000000 20190530000000 42609 havedane.net.
otoo7bUY2JuWE6zUCcSNTML5Vw8OQyq5ktlx0FcOEllIxYJEC47jSkOP
DChJNkxiOL5fSKhwakb6TPaMLoksfE5X9DeWQniZzb1iZPO6ntzDeaUv
Sonm0dUp/1wEH5pSwM3pMiI8/D2CeH0qv2hlT3ZQxCl3Y+oTGIbQ0/Op 0tI=<br>
tchk01a6c4u00v4qferegafj8uaa0kuu.havedane.net. 300 IN NSEC3 1 1 10
80052F2BC65F99C0 TCHK01A6C4U00V4QFEREGAFJ8UAA0KUV A AAAA RRSIG<br>
tchk01a6c4u00v4qferegafj8uaa0kuu.havedane.net. 300 IN RRSIG NSEC3
8 3 300 20190620000000 20190530000000 42609 havedane.net.
meZexDBWPuLCY8cwAiFeAEhxroLz+0dgYiuxAeWdODETPVAP3+oPdABJ
v6hTDKXLkHRlg2q8FOBPjOZkbUCnRmf203a8LauZpnFSz101PK//iswP
1fSD/4YvyLVrdIhRUyhlOagsOO+LdGg9vRYTPNgq83ohUI1U09Tq1toV /hI=<br>
kfm2301lp75trvmmcmnjomhet1anrkcc.havedane.net. 300 IN NSEC3 1 1 10
80052F2BC65F99C0 KFM2301LP75TRVMMCMNJOMHET1ANRKCE<br>
kfm2301lp75trvmmcmnjomhet1anrkcc.havedane.net. 300 IN RRSIG NSEC3
8 3 300 20190620000000 20190530000000 42609 havedane.net.
pkNh8bMF5PrVpDkz3vZwme+JEwhknNHS20sslBYAzVO+y0pYqdrGGUOb
TR8ievdPhSd94CchOu4Zg4coRKdPqM3E1j50E20qsrlgpd13LQLJ3h+5
Bwc6Xr1tYrzR2tnx6h2V4emAYVSLPskUWhTRYY0RLJxL0kZqIS+mYD9y UIY=<br>
d75017d9r7ogr9sj2sll546mdo1miven.havedane.net. 300 IN NSEC3 1 1 10
80052F2BC65F99C0 D75017D9R7OGR9SJ2SLL546MDO1MIVEP<br>
d75017d9r7ogr9sj2sll546mdo1miven.havedane.net. 300 IN RRSIG NSEC3
8 3 300 20190620000000 20190530000000 42609 havedane.net.
V5tLLyA7ZMpFBCkSNne+Jzbmob1WCnRufrCJKy7ZudhN7QI7jWivkeGn
AaNRCHvIOyxUV9sY1oh4IuK00uhgqbhF8Elq97M05jaoGP5ItpQW0ic0
32HhSZ/OBy3BUJPhzDoAbF8DJDybeRXoL4SCDgMTYd/vgS1Zj5xmj5qu D6I=<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 12/06/2019 06:13, Nevel Gandish via
Unbound-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALQ-LaDSp=Ai0bQ4ipPaxC7qrV0-SmXJ8Zj7GMub0ByYTkEicg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
</div>
<div>I'm trying to test my mail server with <a
href="https://havedane.net"
moz-do-not-send="true">https://havedane.net</a>
but it will send mails to the subdomain with
invalid DANE entry.<br>
</div>
<div>Reason seems, that my local unbound
(1.9.0) installation gives NXDOMAIN when
looking up _25._<a
href="http://tcp.wrong.havedane.net"
moz-do-not-send="true">tcp.wrong.havedane.net</a>:<br>
</div>
<div><br>
; <<>> DiG 9.10.3-P4-Debian
<<>> _25._<a
href="http://tcp.wrong.havedane.net"
moz-do-not-send="true">tcp.wrong.havedane.net</a>
TLSA<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY,
status: NXDOMAIN, id: 29911<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
;; QUESTION SECTION:<br>
;_25._<a
href="http://tcp.wrong.havedane.net"
moz-do-not-send="true">tcp.wrong.havedane.net</a>.
IN TLSA<br>
<br>
;; AUTHORITY SECTION:<br>
<a href="http://havedane.net"
moz-do-not-send="true">havedane.net</a>.
103 IN SOA <a
href="http://ns091.auroradns.eu"
moz-do-not-send="true">ns091.auroradns.eu</a>.
<a href="http://admin.auroradns.eu"
moz-do-not-send="true">admin.auroradns.eu</a>.
2019011601 86400 7200 604800 300<br>
<br>
<br>
Unbound log:<br>
Jun 11 20:53:27 unbound[8830:0] info: reply
from <<a href="http://havedane.net"
moz-do-not-send="true">havedane.net</a>.>
185.103.243.231#53<br>
Jun 11 20:53:27 unbound[8830:0] info: query
response was NXDOMAIN ANSWER<br>
Jun 11 20:53:27 unbound[8830:0] info:
127.0.0.1 _25._<a
href="http://tcp.wrong.havedane.net"
moz-do-not-send="true">tcp.wrong.havedane.net</a>.
A IN NXDOMAIN 0.451754 0 116<br>
<br>
<br>
</div>
<div>But this TLSA RR exists and it's found
when using any other NS like here (or with @<a
href="http://46.182.19.48"
moz-do-not-send="true">46.182.19.48</a> or
@<a href="http://9.9.9.9"
moz-do-not-send="true">9.9.9.9</a> or
whatever):<br>
<br>
; <<>> DiG 9.10.3-P4-Debian
<<>> _25._<a
href="http://tcp.wrong.havedane.net"
moz-do-not-send="true">tcp.wrong.havedane.net</a>
TLSA @<a href="http://8.8.8.8"
moz-do-not-send="true">8.8.8.8</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id: 22860<br>
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2,
AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 512<br>
;; QUESTION SECTION:<br>
;_25._<a
href="http://tcp.wrong.havedane.net"
moz-do-not-send="true">tcp.wrong.havedane.net</a>.
IN TLSA<br>
<br>
;; ANSWER SECTION:<br>
_25._<a href="http://tcp.wrong.havedane.net"
moz-do-not-send="true">tcp.wrong.havedane.net</a>.
3599 IN TLSA 2 1 1
27B694B51D1FEF8885372ACFB39193759722B736B0426864DC1C79D0
651FEF72<br>
_25._<a href="http://tcp.wrong.havedane.net"
moz-do-not-send="true">tcp.wrong.havedane.net</a>.
3599 IN TLSA 3 1 1
553ACF88F9EE18CCAAE635CA540F32CB84ACA77C47916682BCB542D5
1DAA871E<br>
</div>
<div><br>
</div>
<div><br>
I don't know what to look for in my
installation or configuration. What results
do you get when running that request?<br>
</div>
<div><br>
</div>
Bye,<br>
</div>
Nevel<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>