local unbound resolver fails @ DANE TLSA lookups; ok with external NS ?

PGNet_Dev · October 6, 2022, 4:33pm

sending recent mail via my local mail server

postfix 3.7.2

to

CASTEP@state.gov

using local resolver

unbound 1.16.2

i see in logs lots of these warnings/errors,

2022-10-05T17:30:13.602980-04:00 mx03 postfix/smtp-out-ext/smtp[8484]: warning: TLS policy lookup for state.gov/christopher-ew.state.gov: TLSA lookup error for christopher-ew.state.gov:25
2022-10-05T17:30:14.353543-04:00 mx03 postfix/smtp-out-ext/smtp[8484]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.stimson.state.gov type=TLSA: Host not found, try again

reading

Problem with TLSA & CNAME Wildcard
https://mailing.postfix.users.narkive.com/VGejQATw/problem-with-tlsa-cname-wildcard

suggests a resolver problem

checking my local unbound resolver,

     dig +ad +noall +comment +ans +auth -t tlsa _25._tcp.christopher-ew.state.gov @127.0.0.1
         ;; Got answer:
         ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 491
         ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232

vs Cloudflare

     dig +ad +noall +comment +ans +auth -t tlsa _25._tcp.christopher-ew.state.gov @1.1.1.1
         ;; Got answer:
         ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64831
         ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

         ;; OPT PSEUDOSECTION:
         ; EDNS: version: 0, flags:; udp: 1232
         ;; AUTHORITY SECTION:
         state.gov. 900 IN SOA o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900

or Google

  dig +ad +noall +comment +ans +auth -t tlsa _25._tcp.christopher-ew.state.gov @8.8.8.8
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52518
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; AUTHORITY SECTION:
    state.gov. 900 IN SOA o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900

seems it's my unbound config.

afaict i've no other resolver issues.

any hints as to cause/cure for this failing dane/tlsa query? or where/how to dig further?

Antonio_Prado · October 6, 2022, 5:02pm

seems it's my unbound config.

it is, because on my unbound I can get the non-existent domain reply just as quad8 and quad1.

any hints as to cause/cure for this failing dane/tlsa query? or where/how to dig further?

here is my 'working' unbound.conf
hope it helps

heidnes · October 6, 2022, 6:21pm

sending recent mail via my local mail server

  postfix 3.7.2

to

  CASTEP@state.gov

using local resolver

  unbound 1.16.2

i see in logs lots of these warnings/errors,

    2022-10-05T17:30:13.602980-04:00 mx03 postfix/smtp-out-ext/smtp[8484]:
    warning: TLS policy lookup for state.gov/christopher-ew.state.gov:
    TLSA lookup error for christopher-ew.state.gov:25
    2022-10-05T17:30:14.353543-04:00 mx03 postfix/smtp-out-ext/smtp[8484]:
    warning: DANE TLSA lookup problem: Host or domain name not found. Name
    service error for name=_25._tcp.stimson.state.gov type=TLSA: Host not
    found, try again

Pasting

_25._tcp.christopher-ew.state.gov

and

_25._tcp.stimson.state.gov

into https://dnsviz.net/

indicates

1) there is nothing basically wrong with the publication setup
   for these zones
2) there are a few uses of SHA-1 (no longer recommended), but
   there's also sha-256 based DS records around, so those should
   be preferred
3) the non-existence of these names is apparently properly
   DNSSEC-signed

I'm not seeing a SERVFAIL for the former when I query my local
unbound server running 1.16.0:

% dig @my-local-unbound-resolver _25._tcp.christopher-ew.state.gov. tlsa

; <<>> DiG 9.16.20 <<>> @my-local-unbound-resolver _25._tcp.christopher-ew.state.gov. tlsa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37754
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_25._tcp.christopher-ew.state.gov. IN TLSA

;; AUTHORITY SECTION:
state.gov. 900 IN SOA o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900

;; Query time: 63 msec
;; SERVER: 2001:700:0:ff00::2#53(2001:700:0:ff00::2)
;; WHEN: Thu Oct 06 18:52:37 CEST 2022
;; MSG SIZE rcvd: 137

and this is properly DNSSEC-validated by my unbound recursor,
ref. the "ad" flag (there's no need to bundle a lot of other
query flags). NXDOMAIN means "the queried-for name does not
exist at all in the naming tree" (i.e. independent of the
queried-for type), and also that there is nothing "below" this
name in the naming tree.

reading

Problem with TLSA & CNAME Wildcard
https://mailing.postfix.users.narkive.com/VGejQATw/problem-with-tlsa-cname-wildcard

suggests a resolver problem

I cannot find a CNAME record on either of these names:

_25._tcp.christopher-ew.state.gov.
*._tcp.christopher-ew.state.gov.
*.christopher-ew.state.gov.
*.state.gov.

(by directly querying one of the publishing NSes for state.gov)

any hints as to cause/cure for this failing dane/tlsa query? or
where/how to dig further?

The queried-for names do not exist?

Regards,

- Håvard