Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 13 Apr 2020 11:25:41 +0200
From: Christian <list-christian@....de>
To: musl@...ts.openwall.com
Subject: Resolver routines, Postfix DNSSEC troubles - how to check for
 incompatibilities?

Hi there,

I am having an issue in my alpine docker setup with Postfix. I
activated DANE for my server and did some tests if E-Mails are handled
correctly. In that I found the outgoing mails to fail using DANE.

Investigating the issue with Viktor Dukhovni over at postfix-users, we
figured, that Postfix has troubles recognising the DANE parameters of
the target server I am sending my E-Mails to. If you are interested in the conversation: https://pastebin.com/1e3sR0Hq

In the tcpdumps we could figure, that no DNSSEC flags are in the
request by Postfix, hence not getting the information to properly do
DANE. That explains the failure of DANE, however not why this is
happening.

I am no programmer, hence not sure about libc etc. but Viktors last
thought:
"When Postfix is configured with "smtp_dns_support_level = dnssec", the
RES_USE_DNSSEC and RES_USE_EDNS0 flags are set around calls to the
resolver routines.  If your C-library (perhaps only inside docker) has
an incopatible resolver API, then you'll need a more compatible
resolver library and/or a different container technology."

In comparison using dig to check for DNSSEC out of the same container
based on alpine works. However I do not know if the request is
constructed the same way.

So the question is now on how we can go about this to figure if there
is an incompatibility?

Kind regards
  Christian

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.