Maintained by: NLnet Labs

DNSSEC validaion fail for _25._tcp.eldinhadzic.com

A. Schulze
Fri Jul 15 10:37:56 CEST 2016


A. Schulze:

> with unbound-1.5.9, we hit $subject.

"qname-minimisation" was enabled. Everything is fine if I disable the feature.

# posttls-finger eldinhadzic.com
posttls-finger: using DANE RR: _25._tcp.eldinhadzic.com IN TLSA 2 1 2  
77:4F:AD:8C:9A:6A:FC:2B:DB:44:FA:BA:83:90:D2:13:AE:59:2F:B0:D5:6C:5D:FA:B1:52:28:4E:33:4D:7C:D6:AB:D0:57:99:23:6E:7A:A6:26:6E:DF:81:90:7C:60:40:4C:57:EE:54:C1:0A:3A:82:FC:C2:A9:14:66:29:B1:40
posttls-finger: using DANE RR: _25._tcp.eldinhadzic.com IN TLSA 3 1 2  
22:B8:28:3F:A6:10:61:63:EC:40:89:0A:2D:B9:1A:6E:6F:22:BB:91:F2:12:0A:89:3D:94:A0:12:C0:2F:D5:5C:4F:1D:B8:BE:27:6C:CD:FB:D4:C2:0A:C8:79:BC:03:0F:FA:6C:15:0B:85:94:E1:F4:5B:56:B1:92:7D:D7:6D:A9
...
posttls-finger: Verified TLS connection established to  
eldinhadzic.com[163.172.141.143]:25: TLSv1.2 with cipher  
ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
...


also unbound log looks better:
[1468571689] unbound[2046:0] notice: init module 0: validator
[1468571689] unbound[2046:0] notice: init module 1: iterator
[1468571689] unbound[2046:0] info: start of service (unbound 1.5.9).
[1468571693] unbound[2046:0] info: ::1 eldinhadzic.com. MX IN
[1468571693] unbound[2046:0] info: ::1 eldinhadzic.com. A IN
[1468571693] unbound[2046:0] info: ::1 eldinhadzic.com. AAAA IN
[1468571693] unbound[2046:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN

Andreas