local unbound resolver fails @ DANE TLSA lookups; ok with external NS ?
Havard Eidnes
he at uninett.no
Thu Oct 6 18:21:12 UTC 2022
> sending recent mail via my local mail server
>
> postfix 3.7.2
>
> to
>
> CASTEP at state.gov
>
> using local resolver
>
> unbound 1.16.2
>
> i see in logs lots of these warnings/errors,
>
> 2022-10-05T17:30:13.602980-04:00 mx03 postfix/smtp-out-ext/smtp[8484]:
> warning: TLS policy lookup for state.gov/christopher-ew.state.gov:
> TLSA lookup error for christopher-ew.state.gov:25
> 2022-10-05T17:30:14.353543-04:00 mx03 postfix/smtp-out-ext/smtp[8484]:
> warning: DANE TLSA lookup problem: Host or domain name not found. Name
> service error for name=_25._tcp.stimson.state.gov type=TLSA: Host not
> found, try again
Pasting
_25._tcp.christopher-ew.state.gov
and
_25._tcp.stimson.state.gov
into https://dnsviz.net/
indicates
1) there is nothing basically wrong with the publication setup
for these zones
2) there are a few uses of SHA-1 (no longer recommended), but
there's also sha-256 based DS records around, so those should
be preferred
3) the non-existence of these names is apparently properly
DNSSEC-signed
I'm not seeing a SERVFAIL for the former when I query my local
unbound server running 1.16.0:
% dig @my-local-unbound-resolver _25._tcp.christopher-ew.state.gov. tlsa
; <<>> DiG 9.16.20 <<>> @my-local-unbound-resolver _25._tcp.christopher-ew.state.gov. tlsa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37754
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_25._tcp.christopher-ew.state.gov. IN TLSA
;; AUTHORITY SECTION:
state.gov. 900 IN SOA o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900
;; Query time: 63 msec
;; SERVER: 2001:700:0:ff00::2#53(2001:700:0:ff00::2)
;; WHEN: Thu Oct 06 18:52:37 CEST 2022
;; MSG SIZE rcvd: 137
and this is properly DNSSEC-validated by my unbound recursor,
ref. the "ad" flag (there's no need to bundle a lot of other
query flags). NXDOMAIN means "the queried-for name does not
exist at all in the naming tree" (i.e. independent of the
queried-for type), and also that there is nothing "below" this
name in the naming tree.
> reading
>
> Problem with TLSA & CNAME Wildcard
> https://mailing.postfix.users.narkive.com/VGejQATw/problem-with-tlsa-cname-wildcard
>
> suggests a resolver problem
I cannot find a CNAME record on either of these names:
_25._tcp.christopher-ew.state.gov.
*._tcp.christopher-ew.state.gov.
*.christopher-ew.state.gov.
*.state.gov.
(by directly querying one of the publishing NSes for state.gov)
> any hints as to cause/cure for this failing dane/tlsa query? or
> where/how to dig further?
The queried-for names do not exist?
Regards,
- Håvard
More information about the Unbound-users
mailing list