Comments (6)
At the time that I checked, against an Unbound 1.15.0 resolver, it worked for me. See below. Your unbound check tells me that the localhost resolver is probably fine, but it's an error message about the second DNS resolver in your /etc/resolv.conf file.
If I use that IP, dig -t a @141.14.16.1 mx3.molgen.mpg.de
tells me recursion not available (perhaps an ACL issue?), and also returns non-authoritative data (the AD bit is not set in the header). So, it looks as though smtpdane has done its job perfectly and complained about being unable to validate with DNSSEC; the reason it can't validate is because the configured local resolver isn't providing DNSSEC verifying service to you. There's an open todo item to implement a DNSSEC validator natively instead of relying upon system resolvers, but that would actually just mask a real problem here. SMTP DANE won't work for you in your setup while you're using a DNS resolver which breaks validation.
% smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2
from smtpdane.
Thank you for taking the time to look into it.
If I use that IP, dig -t a @141.14.16.1 mx3.molgen.mpg.de tells me recursion not available (perhaps an ACL issue?), and also returns non-authoritative data (the AD bit is not set in the header).
141.14.16.1 is not a public resolver. My colleague wrote:
141.14.16.1 doesn't do recursive resolution for external clients because DNS allows multiplication attacks. So you only get answers for local zones or cached names.
So, it looks as though smtpdane has done its job perfectly and complained about being unable to validate with DNSSEC; the reason it can't validate is because the configured local resolver isn't providing DNSSEC verifying service to you.
141.14.16.1 supports DNSSEC validation:
$ dig @141.14.16.1 dnssec-failed.org +short
$ dig @141.14.16.1 dnssec-failed.org +short +ad
$ dig @141.14.16.1 dnssec-failed.org +short +cd
96.99.227.255
Removing the second nameserver
entry makes the error go away:
$ more /etc/resolv.conf
search molgen.mpg.de
nameserver 127.0.0.1
$ ./smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2
The manual page resolv.conf(5) says for nameserver
:
If there are multiple servers, the resolver library queries them in the order listed.
I am wondering, why the second nameserver
entry is tried? Unbound is used as the systemβs configured DNSSEC-validating recursive nameserver to perform all DNSSEC validation, and not 141.14.16.1.
from smtpdane.
Because there's a different bug. π Thank you. The report by smtpdane was indeed working-as-intended, but the fact that we queried that resolver at all was not. I have opened an issue #5 to track the loop bit and will get this fixed shortly.
Thank you!
from smtpdane.
Thank you for being so responsive, and writing and maintaining smtpdane.
from smtpdane.
You're welcome, and thanks for the kind words.
Running go install go.pennock.tech/smtpdane@latest
should now install v0.4.4 which has the fix for the all-resolvers issue (#5). If it installs v0.4.3 then there's a stale module cache, and use @v0.4.4
to be explicit.
from smtpdane.
Thank you for the quick fix. It works now:
$ git log --oneline --no-decorate -1
07643ae bump version back to -dev for next release
$ go build
$ $ ./smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2
from smtpdane.
Related Issues (9)
- Mis-parsing OCSP status HOT 1
- `crypto/x509/pkix.Name` now implements `String() string`, use it
- MX domain is added to list of hostnames HOT 3
- DNS resolver iteration is always using all resolvers HOT 2
- Use an alternative DNS server HOT 3
- Incompatible or non friendly behavior of -srv and friends HOT 4
- Add an option to disable TSLA check ? HOT 4
- Using non-TLS-on-connect against TLS-on-connect port should error cleanly, or handle
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from smtpdane.