Re: [exim] DANE ERROR: TLSA LOOKUP DEFER

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMPhil Pennock at <-
MMJeremy Harris at ->
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Mon, Mar 30, 2020 at 03:25:54PM +0800, daniel via Exim-users wrote:

> Here is one example of the actual problem i have just recently tested on
> the problem server without apply the option fix (source domain masked
> for privacy reason):
>
> 2020-03-30 15:02:59 1jIoRn-0004MT-RH <= testtest@??? H=(vps.xxx.com) [::1]:45888 P=esmtpa A=dovecot_login:testtest@??? S=572 id=287d2da21e9c92ef1d105bb7af95f224@??? T="test" for test@???
> 2020-03-30 15:02:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jIoRn-0004MT-RH
> 2020-03-30 15:02:59 1jIoRn-0004MT-RH Sender identification U=basecrea D=xxx.com S=testtest@???
> 2020-03-30 15:02:59 1jIoRn-0004MT-RH SMTP connection outbound 1585551779 1jIoRn-0004MT-RH xxx.com test@???
> 2020-03-30 15:03:40 1jIoRn-0004MT-RH H=tidamg2.tid.gov.hk [202.38.18.3]: DANE error: tlsa lookup DEFER
> 2020-03-30 15:04:20 1jIoRn-0004MT-RH H=tidamg1.tid.gov.hk [202.38.18.2]: DANE error: tlsa lookup DEFER
> 2020-03-30 15:05:00 1jIoRn-0004MT-RH H=tidamg3.tid.gov.hk [203.184.133.146]: DANE error: tlsa lookup DEFER
> 2020-03-30 15:05:00 1jIoRn-0004MT-RH == test@??? R=dkim_lookuphost T=dkim_remote_smtp defer (-36): DANE error: tlsa lookup DEFER

There is nothing wrong with the DNS configuration of tid.gov.hk: 

    tid.gov.hk. IN MX 10 tidamg1.tid.gov.hk. ; NoError AD=1
    tid.gov.hk. IN MX 10 tidamg2.tid.gov.hk. ; NoError AD=1
    tid.gov.hk. IN MX 30 tidamg3.tid.gov.hk. ; NoError AD=1


    tidamg1.tid.gov.hk. IN A 202.38.18.2 ; NoError AD=1
    tidamg1.tid.gov.hk. IN AAAA ? ; NODATA AD=1
    _25._tcp.tidamg1.tid.gov.hk. IN TLSA ? ; NXDomain AD=1


    tidamg2.tid.gov.hk. IN A 202.38.18.3 ; NoError AD=1
    tidamg2.tid.gov.hk. IN AAAA ? ; NODATA AD=1
    _25._tcp.tidamg2.tid.gov.hk. IN TLSA ? ; NXDomain AD=1


    tidamg3.tid.gov.hk. IN A 203.184.133.146 ; NoError AD=1
    tidamg3.tid.gov.hk. IN AAAA ? ; NODATA AD=1
    _25._tcp.tidamg3.tid.gov.hk. IN TLSA ? ; NXDomain AD=1


    https://dnsviz.net/d/_25._tcp.tidamg1.tid.gov.hk/XoMFCg/dnssec/
    https://dnsviz.net/d/_25._tcp.tidamg2.tid.gov.hk/XoMFEQ/dnssec/
    https://dnsviz.net/d/_25._tcp.tidamg3.tid.gov.hk/XoMFeg/dnssec/


Off-list, you reported using Google's resolvers at 8.8.8.8 and 8.8.4.4,
and those also (even in your own manual tests with "dig") reported no
issues (returned NXDomain, not ServFail).

I don't know why your Exim is reporting "tlsa lookup DEFER", but you
need to get more detailed output from your Exim that shows the DNS
queries made, and answers received, and double-check your resolver
configuration. Is Exim perhaps querying a different resolver than you
thought.

You may need to record the DNS-related traffic (UDP port 53), while
retrying delivery to the problem domain, in a tcpdump PCAP file and
post that to the list or to me off-list.

Perhaps you have an outdated version of Exim with a known issue in
DNS resolution, or a base OS with a problem in the stub resolver code
in its C-library?

Whatever the issue is, more details are needed, but what is fairly clear
is that the gov.hk folks are right, and the problem is not with their
DNS. 

-- 
    Viktor.


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Are there any good tutorials on setting up Exim MTA/SMTP Server?Re: [exim] DANE ERROR: TLSA LOOKUP DEFER->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)