RFI: DNAME resolution used to SERVFAIL, when fixed?
I'm trying to gauge impact/spread of a DNSSEC/DANE resolution problem which has been fixed in Knot Resolver, but I can't see when and the NEWS
file doesn't mention this (or I missed it). This matters for operational impact and knowing how usable/unusable a system is. I'm going to include some details below in case this helps with constructing test-cases for your codebase.
My Turris Omnia router is running kresd 1.1.0
; the query below fails with SERVFAIL against that.
I fetched https://github.com/CZ-NIC/knot-resolver onto my laptop (macOS) and got commit e806158
and everything works fine with this.
- Fails SERVFAIL on 1.1.0:
dig -t tlsa _25._tcp.hummus.csx.cam.ac.uk
- Succeeds on 1.1.0:
dig -t tlsa _25._tcp.mx.exim.org
This is the TLSA record for SMTP/DANE and ensuring STARTTLS is used. The primary MX for the domain exim.org
is hummus.csx.cam.ac.uk
and the TLSA records are under our administrative control via a DNAME entry at _tcp.hummus.csx.cam.ac.uk
.
Failure impact: DANE isn't used when folks expect it to be used; at present, that's "SNAFU" for email security. Going forward, it's increasingly a security problem.
Any ideas how widespread this is? Anything we can tell folks other than "upgrade knot-resolver"?
Thanks!