DNS problems with DHL related domains

Minor incident External Services DNS-Providers Non-SEPPmail-related incidents
2024-12-10 08:12 CET · 2 weeks, 2 hours, 24 minutes

Updates

Resolved

Closing - There is nothing else that could be done on SEPPmail side. It’s up to DHL whether they can be bothered fixing their systems.

December 24, 2024 · 10:34 CET
Issue

We (and possible many others) currently experience problems in resolving DHL related domains in DNS if using a DNSSec-aware resolver. This is due to a misconfiguration on the nameserver on DHL’s end. It seems they messed up with the so-called NSEC3 which is used to proof existence or non-existence of DNS records:

8gl6s6u4s65k06ilm5t49c482efl09np.dhl.com. 295 IN NSEC3 1 0 1 80DDDB4A793B1D2D 8GL6S6U4S65K06ILM5T49C482EFL09NQ NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY

this NSEC3 RR clearly states that only the following types exists in the zone NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY that means no other record type exists. Especially no A or MX but those two types are required for mail (RFC 5321)

As a temporary workaround we added negative trust anchors for DHL related domains to disable DNSSec for those. This allows our customers to send/receive mail to/from DHL although their DNSSec is broken.

December 11, 2024 · 08:12 CET

← Back