Robert Sander:

Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
Looks like the DNS client is losing some query flags while resolving
the CNAME record. I'll investigate further.

Wietse

I don't see a CNAME, I get SERVFAIL:

$ dig +ad +noall +comment +ans +auth -t tlsa _25._tcp.mail2.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8100
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

Which is consistent with the above log entry. The problem
is generic to all sub-domains of the MX hostname in question:

$ dig +ad +noall +comment +ans +auth -t a fail.mail2.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11576
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
No, DNSSEC signature problems are detected in the validating
resolver, not in Postfix. Disabling validation returns the following,
which presumably is either wrong or exposes a bug in unbound.

$ dig +cd +dnssec +noall +comment +ans +auth -t tlsa fail.mail2.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63426
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; ANSWER SECTION:
fail.mail2.clarion-hotels.cz. 1430 IN CNAME clarion-hotels.cz.
fail.mail2.clarion-hotels.cz. 1430 IN RRSIG CNAME 5 2 1800 20140924121306 20140825121306 13077 clarion-hotels.cz. M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=

;; AUTHORITY SECTION:
mail2.clarion-hotels.cz. 2759 IN NSEC clarion-hotels.cz. A RRSIG NSEC
mail2.clarion-hotels.cz. 2759 IN RRSIG NSEC 5 3 3600 20140924121306 20140825121306 13077 clarion-hotels.cz. WlUUsb1EqhP5mUfJ5DXpxvVs7Tw4h5802WCwXy4B2NByTbj3SfurhbV7 HBxPFA/I5OR4VkbWsFr7LlOpb93xRmEXt98afdrzzrKIgMIoNHu4oHDe ykeuV/7epjuHOxpZUKtfhe48ktKZ0NRievAyCUxiJA8evpgifR7AKKqS yGA=
clarion-hotels.cz. 2716 IN SOA ns.forpsi.net. admin.forpsi.com. 2014082501 3600 1800 2592000 3600
clarion-hotels.cz. 2716 IN RRSIG SOA 5 2 3600 20140924121306 20140825121306 13077 clarion-hotels.cz. F5DurWWNlg9zQrvFMQrdNNjH58Zv/TTVBQSOtslMYlwXWp3ZcJGCC1Ra veDuerwFv5dQUsBQIJpQc5eZmyXXH8YA5rOLBK1x19ej0hl1T3yi3pG6 4SJFCrzSIIFVKzX7nKDtfnFK/Zq3X6db7oh9I+gpNnyojuDCccuQNwov kQw=
clarion-hotels.cz. 2716 IN NSEC *.clarion-hotels.cz. A NS SOA MX RRSIG NSEC DNSKEY
clarion-hotels.cz. 2716 IN RRSIG NSEC 5 2 3600 20140924121306 20140825121306 13077 clarion-hotels.cz. OOeXzp0449w2dXf6zdvnidH69d27+9kPH6fJP9CK+coXuMiZ7WwheIn8 qZrhqYPu9xrnpgmYYkOeuaWDq2b+7rxKzzJTw/0hAjjO8vKRMr2sPyNi CpM2btBTM2FrKZvFJZegMYafo37QH05cg47hXAjEiyEYCMlJfNmMx+AN le8=

The problem is perhaps with the wildcard record in the authority
section, which seems to wildcard NS SOA and DNSKEY, making the
wildcard CNAMES look like singed sub-zones.
You can disable "dane" for this domain.

tls-policy:
clarion-hotels.cz may

The wildcard in question is unwise, it should instead be a CNAME to

*.clarion-hotels.cz IN CNAME www.clarion-hotels.cz.

with "www.clarion-hotels.cz" having only A/AAAA records, and no
NS, DNSKEY, ... There may be other issues.

Actually, this depends on your resolver. Search your favorite
search engine for "DNSSEC wildcard".

Many resolvers don't support this.

Wietse

Further investigatation suggests that my local DNS resolver does
not support DNSSEC for wildcards, and therefore treats the CNAME
response as "not signed". This invalidates my test.

Wietse

Unbound is supposed to handle this correctly. It also SERVFAILs
at Google's 8.8.8.8 validating recursor. I suspect the problem is
related to the wildcard pointing at the root of the zone, rather
than an internal node.

Note for example the below which works fine (mail10 is fiction):

$ dig +ad +noall +comment +ans +auth -t tlsa fail.mail10.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64221
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; ANSWER SECTION:
fail.mail10.clarion-hotels.cz. 1800 IN CNAME clarion-hotels.cz.

;; AUTHORITY SECTION:
clarion-hotels.cz. 3600 IN SOA ns.forpsi.net. admin.forpsi.com. 2014082501 3600 1800 2592000 3600

While changing mail10 to mail2 (which is not subject to the wildcard)
breaks.

$ dig +ad +noall +comment +ans +auth -t tlsa fail.mail2.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17132
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

So my resolver can and does validate wildcard CNAMEs, but not in
this case. Whether the problem is on the DNS server or client I
cannot say.

This is wrong because mail2.clarion-hotels.cz exists and thus none
of its descendents are in scope for the sibling "*.clarion-hotels.cz"
wildcard.
This RRSIG has a label count of 2, which, since the query name has
more labels, means that the signed name is "*.clarion-hotels.cz".
The signature is fine, but in order for the response to be valid
it must be accompanied by a signed non-existence proof for
"mail2.clarion-hotels.cz" (which we know exists).
Unsuprisingly, that's not what the NSEC record proves, it only
proves absence of descendants of "mail2" while disproving the
non-existence of "mail2", so the CNAME RR is busted.
I'd like to find out what DNS server software is in place for this
domain. Anyone in contact with their postmaster or DNS administrator?

clarion-hotels.cz. 3600 IN NS ns.forpsi.net.
clarion-hotels.cz. 3600 IN NS ns.forpsi.it.
clarion-hotels.cz. 3600 IN NS ns.forpsi.cz.