Fails with `not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/A query` about smtpdane HOT 6 CLOSED

At the time that I checked, against an Unbound 1.15.0 resolver, it worked for me. See below. Your unbound check tells me that the localhost resolver is probably fine, but it's an error message about the second DNS resolver in your /etc/resolv.conf file.

If I use that IP, dig -t a @141.14.16.1 mx3.molgen.mpg.de tells me recursion not available (perhaps an ACL issue?), and also returns non-authoritative data (the AD bit is not set in the header). So, it looks as though smtpdane has done its job perfectly and complained about being unable to validate with DNSSEC; the reason it can't validate is because the configured local resolver isn't providing DNSSEC verifying service to you. There's an open todo item to implement a DNSSEC validator natively instead of relying upon system resolvers, but that would actually just mask a real problem here. SMTP DANE won't work for you in your setup while you're using a DNS resolver which breaks validation.

% smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
  3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
  3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2

from smtpdane.

Thank you for taking the time to look into it.

If I use that IP, dig -t a @141.14.16.1 mx3.molgen.mpg.de tells me recursion not available (perhaps an ACL issue?), and also returns non-authoritative data (the AD bit is not set in the header).

141.14.16.1 is not a public resolver. My colleague wrote:

141.14.16.1 doesn't do recursive resolution for external clients because DNS allows multiplication attacks. So you only get answers for local zones or cached names.

So, it looks as though smtpdane has done its job perfectly and complained about being unable to validate with DNSSEC; the reason it can't validate is because the configured local resolver isn't providing DNSSEC verifying service to you.

141.14.16.1 supports DNSSEC validation:

$ dig @141.14.16.1 dnssec-failed.org +short
$ dig @141.14.16.1 dnssec-failed.org +short +ad
$ dig @141.14.16.1 dnssec-failed.org +short +cd
96.99.227.255

Removing the second nameserver entry makes the error go away:

$ more /etc/resolv.conf
search molgen.mpg.de
nameserver 127.0.0.1
$ ./smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
  3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
  3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2

The manual page resolv.conf(5) says for nameserver:

If there are multiple servers, the resolver library queries them in the order listed.

I am wondering, why the second nameserver entry is tried? Unbound is used as the system’s configured DNSSEC-validating recursive nameserver to perform all DNSSEC validation, and not 141.14.16.1.

from smtpdane.

Because there's a different bug. 😞 Thank you. The report by smtpdane was indeed working-as-intended, but the fact that we queried that resolver at all was not. I have opened an issue #5 to track the loop bit and will get this fixed shortly.

Thank you!

from smtpdane.

Thank you for being so responsive, and writing and maintaining smtpdane.

from smtpdane.

You're welcome, and thanks for the kind words.

Running go install go.pennock.tech/smtpdane@latest should now install v0.4.4 which has the fix for the all-resolvers issue (#5). If it installs v0.4.3 then there's a stale module cache, and use @v0.4.4 to be explicit.

from smtpdane.

Thank you for the quick fix. It works now:

$ git log --oneline --no-decorate -1
07643ae bump version back to -dev for next release
$ go build
$ $ ./smtpdane mx3.molgen.mpg.de
found 1 secure addresses for "mx3.molgen.mpg.de" at "mx3.molgen.mpg.de.": [141.14.17.11]
found 2 TLSA records for "_25._tcp.mx3.molgen.mpg.de."
  3 1 2 ...3c05180b94534145fecd30ac3a06166c6b9dac854e26bc8be37e83c0c3bbea4b8c2
  3 1 2 ...c2832ef72f5dc12b5fe3984bafe1b87406207edad34a4f3e11f49cd4a23db83374c
[mx3.molgen.mpg.de 141.14.17.11] issuing STARTTLS [port 25]
[mx3.molgen.mpg.de 141.14.17.11] TLSA DANE-EE(3) match: 3 1 2 ...e83c0c3bbea4b8c2

from smtpdane.