[exim-dev] DNSSEC/DANE problem Re: DANE work

Top Page
Delete this message
Reply to this message
Author: Lutz Preßler
Date:  
To: exim-dev
Old-Topics: [exim-dev] DANE work
Subject: [exim-dev] DNSSEC/DANE problem Re: DANE work
Hello,

many thanks for your work on DANE support.
Right now it's not working for me, though.

Compiled (based on Debian package) latest trunk with DANE and other features
added:

/usr/sbin/exim -bV
Exim version 4.84+82dbd37+LPexp1 #2 built 03-Sep-2014 17:47:26
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 4.8.30: (April 9, 2010)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime PRDR OCSP Experimental_DANE Experimental_Proxy Experimental_TPDA Experimental_Certnames Experimental_DSN
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim4/exim4.conf

Configuration includes "dns_dnssec_ok=1" as global option and
dnssec_request_domains = *
hosts_try_dane = *
in remote_smtp transport.

Sending messages to test domains with DANE setups, I see no "CV=dane" in
the log. Debugging output shows nothing about DANE apart from
"a.b.c.d in hosts_require_dane? no (option unset)"
DNSSEC: "Coerced resolver DNSSEC support on." before DNS lookups.

adding "hosts_require_dane = mx.test.domain" leads to:

12:49:32 4112 SMTP<< 220 2.0.0 Ready to start TLS
12:49:32 4112 Coerced resolver DNSSEC support on.
12:49:32 4112 gethostbyname2 looked up these IP addresses:
12:49:32 4112 name=mx.test.domain address=2a03:xxx:xxx:xxx::1
12:49:32 4112 name=mx.test.domain address=37.x.x.x
12:49:32 4112 2a03:xxx:xxx:xxx::1 in hosts_require_dane? yes (matched "mx.test.domain")
12:49:32 4112 LOG: MAIN
12:49:32 4112 DANE error: previous lookup not DNSSEC
12:49:32 4112 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL
12:49:32 4112 2a03:xxx:xxx:xxx::1 in hosts_require_tls? no (option unset)
12:49:32 4112 Coerced resolver DNSSEC support on.
12:49:32 4112 gethostbyname2 looked up these IP addresses:
12:49:32 4112 name=mx.test.domain address=2a03:xxx:xxx:xxx::1
12:49:32 4112 name=mx.test.domain address=37.x.x.x
12:49:32 4112 2a03:xxx:xxx:xxx::1 in hosts_require_dane? yes (matched "mx.test.domain")
12:49:32 4112 set_process_info: 4112 delivering 1XPUbD-00012m-Cy: just tried mx.test.domain [2a03:xxx:xxx:xxx:1] for user@???: result DEFER

So, the problem seems to be DNSSEC no tbeeing checked, despite
"dnssec_request_domains=*". Any idea why?
Using dig for this domain/hosts (on the same systems) gives authenticated data.
Further: exim -be with
${lookup dnsdb{dnssec_strict,mx=test.domaim}}
(and a=..., aaaa=....) DOES work...

Regards,
Lutz