target/remote: Reimplement TLSA records discovery algorithm, add tests

Now it covers all edge cases described by RFC 7672.

There is an unrelated change in tests/ due to interface change in
go-mockdns.

framework/dns/dnssec.go

@@ -203,6 +203,71 @@ func (e ExtResolver) AuthLookupTXT(ctx context.Context, name string) (ad bool, r
 	return
 }
 
+// CheckCNAMEAD is a special function for use in DANE lookups. It attempts to determine final
+// (canonical) name of the host and also reports whether the whole chain of CNAME's and final zone
+// are "secure".
+//
+// If there are no A or AAAA records for host, rname = "" is returned.
+func (e ExtResolver) CheckCNAMEAD(ctx context.Context, host string) (ad bool, rname string, err error) {
+	msg := new(dns.Msg)
+	msg.SetQuestion(dns.Fqdn(host), dns.TypeA)
+	msg.SetEdns0(4096, false)
+	msg.AuthenticatedData = true
+	resp, err := e.exchange(ctx, msg)
+	if err != nil {
+		return false, "", err
+	}
+
+	for _, r := range resp.Answer {
+		switch r := r.(type) {
+		case *dns.A:
+			rname = r.Hdr.Name
+			ad = resp.AuthenticatedData // Use AD flag from response we used to determine rname
+		}
+	}
+
+	if rname == "" {
+		// IPv6-only host? Try to find out rname using AAAA lookup.
+		msg := new(dns.Msg)
+		msg.SetQuestion(dns.Fqdn(host), dns.TypeA)
+		msg.SetEdns0(4096, false)
+		msg.AuthenticatedData = true
+		resp, err := e.exchange(ctx, msg)
+		if err == nil {
+			for _, r := range resp.Answer {
+				switch r := r.(type) {
+				case *dns.AAAA:
+					rname = r.Hdr.Name
+					ad = resp.AuthenticatedData
+				}
+			}
+		}
+	}
+
+	return ad, rname, nil
+}
+
+func (e ExtResolver) AuthLookupCNAME(ctx context.Context, host string) (ad bool, cname string, err error) {
+	msg := new(dns.Msg)
+	msg.SetQuestion(dns.Fqdn(host), dns.TypeCNAME)
+	msg.SetEdns0(4096, false)
+	msg.AuthenticatedData = true
+	resp, err := e.exchange(ctx, msg)
+	if err != nil {
+		return false, "", err
+	}
+
+	for _, r := range resp.Answer {
+		cnameR, ok := r.(*dns.CNAME)
+		if !ok {
+			continue
+		}
+		return resp.AuthenticatedData, cnameR.Target, nil
+	}
+
+	return resp.AuthenticatedData, "", nil
+}
+
 func (e ExtResolver) AuthLookupIPAddr(ctx context.Context, host string) (ad bool, addrs []net.IPAddr, err error) {
 	// First, query IPv6.
 	msg := new(dns.Msg)

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005
 	github.com/foxcpp/go-imap-namespace v0.0.0-20200722130255-93092adf35f1
 	github.com/foxcpp/go-imap-sql v0.4.1-0.20200823124337-2f57903a7ed0
-	github.com/foxcpp/go-mockdns v0.0.0-20200531120619-ae750bbf9d73
+	github.com/foxcpp/go-mockdns v0.0.0-20201129203541-9b1391edef7e
 	github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/google/uuid v1.1.1

go.sum

@@ -137,6 +137,8 @@ github.com/foxcpp/go-mockdns v0.0.0-20191216195825-5eabd8dbfe1f h1:b/CFmrdqIGU6e
 github.com/foxcpp/go-mockdns v0.0.0-20191216195825-5eabd8dbfe1f/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo=
 github.com/foxcpp/go-mockdns v0.0.0-20200531120619-ae750bbf9d73 h1:rZE8KRqNsxz1Jqd782wLMK4FgZ8BKMwPCQjIEpA1bUs=
 github.com/foxcpp/go-mockdns v0.0.0-20200531120619-ae750bbf9d73/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo=
+github.com/foxcpp/go-mockdns v0.0.0-20201129203541-9b1391edef7e h1:zOfwjGk0A3wTpOLNreIEXonIinY+oqJ2R0/QeAbgYmc=
+github.com/foxcpp/go-mockdns v0.0.0-20201129203541-9b1391edef7e/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo=
 github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8 h1:k8w0iy6GP9oeSZWUH3p2DqZHaXDKZGNs3NZGZMGfQHc=
 github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8/go.mod h1:HO1YOCbBM8KjpgThMMFejHx6K/UsnEv2Oh9YGtBIlOU=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=

internal/target/remote/dane.go

@@ -88,6 +88,12 @@ func verifyDANE(recs []dns.TLSA, connState tls.ConnectionState) (overridePKIX bo
 		}
 	}
 
+	// Authentication is not required if all records are unusable, see
+	// RFC 7672 Section 2.1.1.
+	if len(eeRecs) == 0 && len(taRecs) == 0 {
+		return false, nil
+	}
+
 	for _, rec := range eeRecs {
 		if rec.Verify(connState.PeerCertificates[0]) == nil {
 			// https://tools.ietf.org/html/rfc7672#section-3.1.1

internal/target/remote/dane_delivery_test.go

@@ -32,7 +32,7 @@ import (
 )
 
 func targetWithExtResolver(t *testing.T, zones map[string]mockdns.Zone) (*mockdns.Server, *Target) {
-	dnsSrv, err := mockdns.NewServerWithLogger(zones, testutils.Logger(t, "mockdns"))
+	dnsSrv, err := mockdns.NewServerWithLogger(zones, testutils.Logger(t, "mockdns"), false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -75,6 +75,218 @@ func tlsaRecord(name string, usage, matchType, selector uint8, cert string) map[
 }
 
 func TestRemoteDelivery_DANE_Ok(t *testing.T) {
+	_, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+smtpPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	// RFC 7672, Section 2.2.2. "Non-CNAME" case.
+	zones := map[string]mockdns.Zone{
+		"example.invalid.": {
+			MX: []net.MX{{Host: "mx.example.invalid.", Pref: 10}},
+		},
+		"mx.example.invalid.": {
+			AD: true,
+			A:  []string{"127.0.0.1"},
+		},
+		"_25._tcp.mx.example.invalid.": {
+			AD: true,
+			Misc: tlsaRecord(
+				"_25._tcp.mx.example.invalid.",
+				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cf"),
+		},
+	}
+
+	dnsSrv, tgt := targetWithExtResolver(t, zones)
+	defer dnsSrv.Close()
+	tgt.policies = append(tgt.policies,
+		&localPolicy{
+			minTLSLevel: module.TLSAuthenticated, // Established via DANE instead of PKIX.
+		},
+	)
+
+	testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
+}
+
+func TestRemoteDelivery_DANE_CNAMEd_1(t *testing.T) {
+	_, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+smtpPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	// RFC 7672, Section 2.2.2. "Secure CNAME" case - TLSA at CNAME matches.
+	zones := map[string]mockdns.Zone{
+		"example.invalid.": {
+			MX: []net.MX{{Host: "mx.example.invalid.", Pref: 10}},
+		},
+		"mx.example.invalid.": {
+			AD:    true,
+			CNAME: "mx.cname.invalid.",
+		},
+		"mx.cname.invalid.": {
+			A: []string{"127.0.0.1"},
+		},
+		"_25._tcp.mx.cname.invalid.": {
+			AD: true,
+			Misc: tlsaRecord(
+				"_25._tcp.mx.cname.invalid.",
+				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cf"),
+		},
+	}
+
+	dnsSrv, tgt := targetWithExtResolver(t, zones)
+	defer dnsSrv.Close()
+	tgt.policies = append(tgt.policies,
+		&localPolicy{
+			minTLSLevel: module.TLSAuthenticated, // Established via DANE instead of PKIX.
+		},
+	)
+
+	testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
+}
+
+func TestRemoteDelivery_DANE_CNAMEd_2(t *testing.T) {
+	_, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+smtpPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	// RFC 7672, Section 2.2.2. "Secure CNAME" case - TLSA at initial name matches.
+	zones := map[string]mockdns.Zone{
+		"example.invalid.": {
+			MX: []net.MX{{Host: "mx.example.invalid.", Pref: 10}},
+		},
+		"mx.example.invalid.": {
+			AD:    true,
+			CNAME: "mx.cname.invalid.",
+		},
+		"_25._tcp.mx.example.invalid.": {
+			AD: true,
+			Misc: tlsaRecord(
+				"_25._tcp.mx.cname.invalid.",
+				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cf"),
+		},
+		"mx.cname.invalid.": {
+			AD: true,
+			A:  []string{"127.0.0.1"},
+		},
+	}
+
+	dnsSrv, tgt := targetWithExtResolver(t, zones)
+	defer dnsSrv.Close()
+	tgt.policies = append(tgt.policies,
+		&localPolicy{
+			minTLSLevel: module.TLSAuthenticated, // Established via DANE instead of PKIX.
+		},
+	)
+
+	testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
+}
+
+func TestRemoteDelivery_DANE_InsecureCNAMEDest(t *testing.T) {
+	clientCfg, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+smtpPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	// RFC 7672, Section 2.2.2. "Insecure CNAME" case - initial name is secure.
+	zones := map[string]mockdns.Zone{
+		"example.invalid.": {
+			MX: []net.MX{{Host: "mx.example.invalid.", Pref: 10}},
+		},
+		"mx.example.invalid.": {
+			AD:    true,
+			CNAME: "mx.cname.invalid.",
+		},
+		"_25._tcp.mx.example.invalid.": {
+			AD: true,
+			// This is the record that activates DANE but does not match the cert
+			// => delivery is failed.
+			Misc: tlsaRecord(
+				"_25._tcp.mx.example.invalid.",
+				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cb"),
+		},
+		"_25._tcp.mx.cname.invalid.": {
+			AD: false,
+			// This is the record that matches the cert and would make delivery succeed
+			// but it should not be considered since AD=false.
+			Misc: tlsaRecord(
+				"_25._tcp.mx.cname.invalid.",
+				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cf"),
+		},
+	}
+
+	dnsSrv, tgt := targetWithExtResolver(t, zones)
+	defer dnsSrv.Close()
+	tgt.tlsConfig = clientCfg
+
+	_, err := testutils.DoTestDeliveryErr(t, tgt, "test@example.com", []string{"test@example.invalid"})
+	if err == nil {
+		t.Error("Expected an error, got none")
+	}
+	if be.MailFromCounter != 0 {
+		t.Fatal("MAIL FROM issued but should not")
+	}
+}
+
+func TestRemoteDelivery_DANE_NonAD_TLSA_Ignore(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+smtpPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	// RFC 7672, Section 2.2.2. "Non-CNAME" case - initial name is insecure.
+	zones := map[string]mockdns.Zone{
+		"example.invalid.": {
+			MX: []net.MX{{Host: "mx.example.invalid.", Pref: 10}},
+		},
+		"mx.example.invalid.": {
+			A: []string{"127.0.0.1"},
+		},
+		"_25._tcp.mx.example.invalid.": {
+			Misc: tlsaRecord(
+				"_25._tcp.mx.example.invalid.",
+				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cb"),
+		},
+	}
+
+	dnsSrv, tgt := targetWithExtResolver(t, zones)
+	defer dnsSrv.Close()
+
+	testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
+}
+
+func TestRemoteDelivery_DANE_NonADIgnore_CNAME(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+smtpPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	// RFC 7672, Section 2.2.2. "Insecure CNAME" case - initial name is insecure.
+	zones := map[string]mockdns.Zone{
+		"example.invalid.": {
+			MX: []net.MX{{Host: "mx.example.invalid.", Pref: 10}},
+		},
+		"mx.example.invalid.": {
+			CNAME: "mx.cname.invalid.",
+		},
+		"mx.cname.invalid.": {
+			A: []string{"127.0.0.1"},
+		},
+		"_25._tcp.mx.cname.invalid.": {
+			AD: true,
+			Misc: tlsaRecord(
+				"_25._tcp.mx.example.invalid.",
+				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cb"),
+		},
+	}
+
+	dnsSrv, tgt := targetWithExtResolver(t, zones)
+	defer dnsSrv.Close()
+
+	testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
+}
+
+func TestRemoteDelivery_DANE_SkipAUnauth(t *testing.T) {
 	clientCfg, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+smtpPort)
 	defer srv.Close()
 	defer testutils.CheckSMTPConnLeak(t, srv)
@@ -87,10 +299,10 @@ func TestRemoteDelivery_DANE_Ok(t *testing.T) {
 			A: []string{"127.0.0.1"},
 		},
 		"_25._tcp.mx.example.invalid.": {
-			AD: true,
+			AD: false,
 			Misc: tlsaRecord(
 				"_25._tcp.mx.example.invalid.",
-				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cf"),
+				3, 1, 1, "invalid hex will cause serialization error and no response will be sent"),
 		},
 	}
 
@@ -102,32 +314,6 @@ func TestRemoteDelivery_DANE_Ok(t *testing.T) {
 	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
 }
 
-func TestRemoteDelivery_DANE_NonADIgnore(t *testing.T) {
-	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+smtpPort)
-	defer srv.Close()
-	defer testutils.CheckSMTPConnLeak(t, srv)
-
-	zones := map[string]mockdns.Zone{
-		"example.invalid.": {
-			MX: []net.MX{{Host: "mx.example.invalid.", Pref: 10}},
-		},
-		"mx.example.invalid.": {
-			A: []string{"127.0.0.1"},
-		},
-		"_25._tcp.mx.example.invalid.": {
-			Misc: tlsaRecord(
-				"_25._tcp.mx.example.invalid.",
-				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cf"),
-		},
-	}
-
-	dnsSrv, tgt := targetWithExtResolver(t, zones)
-	defer dnsSrv.Close()
-
-	testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
-	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
-}
-
 func TestRemoteDelivery_DANE_Mismatch(t *testing.T) {
 	clientCfg, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+smtpPort)
 	defer srv.Close()
@@ -185,34 +371,6 @@ func TestRemoteDelivery_DANE_NoRecord(t *testing.T) {
 	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
 }
 
-func TestRemoteDelivery_DANE_NoADOnAAAA(t *testing.T) {
-	clientCfg, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+smtpPort)
-	defer srv.Close()
-	defer testutils.CheckSMTPConnLeak(t, srv)
-
-	zones := map[string]mockdns.Zone{
-		"example.invalid.": {
-			MX: []net.MX{{Host: "mx.example.invalid.", Pref: 10}},
-		},
-		"mx.example.invalid.": {
-			A: []string{"127.0.0.1"},
-		},
-		"_25._tcp.mx.example.invalid.": {
-			AD: true,
-			Misc: tlsaRecord(
-				"_25._tcp.mx.example.invalid.",
-				3, 1, 1, "a9b5cb4d02f996f6385debe9a8952f1af1f4aec7eae0f37c2cd6d0d8ee8391cf"),
-		},
-	}
-
-	dnsSrv, tgt := targetWithExtResolver(t, zones)
-	defer dnsSrv.Close()
-	tgt.tlsConfig = clientCfg
-
-	testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
-	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
-}
-
 func TestRemoteDelivery_DANE_LookupErr(t *testing.T) {
 	clientCfg, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+smtpPort)
 	defer srv.Close()
@@ -317,5 +475,3 @@ func TestRemoteDelivery_DANE_TLSError(t *testing.T) {
 		t.Fatal("MAIL FROM issued but should not")
 	}
 }
-
-// TODO(GH #90): Test other matching types, etc

internal/target/remote/dane_test.go

@@ -129,12 +129,29 @@ func TestVerifyDANE(t *testing.T) {
 		})
 	}
 
+	// RFC 7672, Section 2.2:
+	// An "insecure" TLSA RRset or DNSSEC-authenticated denial of existence
+	// of the TLSA records:
+	//    A connection to the MTA SHOULD be made using (pre-DANE)
+	// opportunistic TLS;
+	//
+	// "Insecure" TLSA RRset results in verifyDANE not being called at all,
+	// but for the latter (authenticated denial of existence) it is still
+	// called and should be tested for.
+	//
+	// More specific tests for TLSA RRset discovery (including CNAME
+	// shenanigans) are in dane_delivery_test.go.
 	test("no TLSA, TLS", []dns.TLSA{}, tls.ConnectionState{
 		HandshakeComplete: true,
 	}, false)
 	test("no TLSA, no TLS", []dns.TLSA{}, tls.ConnectionState{
 		HandshakeComplete: false,
 	}, false)
+
+	// RFC 7272, Section 2.2:
+	// A "secure" non-empty TLSA RRset where all the records are unusable:
+	//  Any connection to the MTA MUST be made via TLS, but authentication
+	//  is not required.
 	test("unusable TLSA, TLS", []dns.TLSA{
 		singleTlsaRecord(4, 1, 2, "whatever"),
 		singleTlsaRecord(4, 5, 2, "whatever"),
@@ -142,12 +159,18 @@ func TestVerifyDANE(t *testing.T) {
 	}, tls.ConnectionState{
 		HandshakeComplete: true,
 		PeerCertificates:  []*x509.Certificate{parsePEMCert(leafA)},
-	}, true)
+	}, false)
 	test("unusable TLSA, no TLS", []dns.TLSA{
 		singleTlsaRecord(4, 1, 2, "whatever"),
 	}, tls.ConnectionState{
 		HandshakeComplete: false,
 	}, true)
+
+	// RFC 7672, Section 2.2:
+	// A "secure" TLSA RRset with at least one usable record:  Any
+	//  connection to the MTA MUST employ TLS encryption and MUST
+	//  authenticate the SMTP server using the techniques discussed in the
+	//  rest of this document.
 	test("DANE-EE, non-self-signed", []dns.TLSA{
 		singleTlsaRecord(3, 1, 1, keySHA256(leafA)),
 	}, tls.ConnectionState{
@@ -189,6 +212,8 @@ func TestVerifyDANE(t *testing.T) {
 	test("DANE-TA, intermediate TA, multiple records", []dns.TLSA{
 		singleTlsaRecord(2, 1, 1, keySHA256(rootB)),
 		singleTlsaRecord(2, 1, 1, keySHA256(intermediateA)),
+		// Add multiple times to make sure that multiple records matching the
+		// same cert do not break anything.
 		singleTlsaRecord(2, 1, 1, keySHA256(intermediateA)),
 	}, tls.ConnectionState{
 		HandshakeComplete: true,

internal/target/remote/mxauth_test.go

@@ -303,7 +303,7 @@ func TestRemoteDelivery_AuthMX_DNSSEC(t *testing.T) {
 		},
 	}
 
-	dnsSrv, err := mockdns.NewServerWithLogger(zones, testutils.Logger(t, "mockdns"))
+	dnsSrv, err := mockdns.NewServerWithLogger(zones, testutils.Logger(t, "mockdns"), false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -342,7 +342,7 @@ func TestRemoteDelivery_AuthMX_DNSSEC_Fail(t *testing.T) {
 		},
 	}
 
-	dnsSrv, err := mockdns.NewServerWithLogger(zones, testutils.Logger(t, "mockdns"))
+	dnsSrv, err := mockdns.NewServerWithLogger(zones, testutils.Logger(t, "mockdns"), false)
 	if err != nil {
 		t.Fatal(err)
 	}

internal/target/remote/security.go

@@ -21,6 +21,7 @@ package remote
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"os"
 	"time"
 
@@ -372,7 +373,9 @@ func (c *danePolicy) Init(cfg *config.Map) error {
 		c.log.Error("DANE support is no-op: unable to init EDNS resolver", err)
 	}
 
-	_, err = cfg.Process() // will fail if there is any directive
+	cfg.Bool("debug", true, log.DefaultLogger.Debug, &c.log.Debug)
+
+	_, err = cfg.Process()
 	return err
 }
 
@@ -386,6 +389,75 @@ func (c *danePolicy) Close() error {
 
 func (c *daneDelivery) PrepareDomain(ctx context.Context, domain string) {}
 
+func (c *daneDelivery) discoverTLSA(ctx context.Context, mx string) ([]dns.TLSA, error) {
+	adA, rname, err := c.c.extResolver.CheckCNAMEAD(ctx, mx)
+	if err != nil {
+		// This may indicate a bogus DNSSEC signature or other lookup issue
+		// (including non-existing domain).
+		// Per RFC 7672, any I/O errors (including SERVFAIL) should
+		// cause delivery to be delayed.
+		return nil, err
+	}
+	if rname == "" {
+		// No A/AAAA records, short-circut discovery instead of doing useless
+		// queries.
+		return nil, errors.New("no address associated with the host")
+	}
+	if !adA {
+		// If A lookup is not DNSSEC-authenticated we assume the server cannot
+		// have TLSA record and skip trying to actually lookup TLSA
+		// to avoid hitting weird errors like SERVFAIL, NOTIMP
+		// e.g. see https://github.com/foxcpp/maddy/issues/287
+		if rname == mx {
+			c.c.log.Debugln("skipping DANE for", mx, "due to non-authenticated A records")
+			return nil, nil
+		}
+
+		// But if it is CNAME'd then we may not want to skip it and actually
+		// consider initial name since it may be signed. To confirm the
+		// initial name is signed, do CNAME lookup.
+		cnameAD, _, err := c.c.extResolver.AuthLookupCNAME(ctx, mx)
+		if err != nil {
+			return nil, err
+		}
+		if !cnameAD {
+			c.c.log.Debugln("skipping DANE for", mx, "due to non-authenticated CNAME record")
+			return nil, nil
+		}
+	}
+
+	// If there was a CNAME - try it first.
+	if rname != mx {
+		ad, recs, err := c.c.extResolver.AuthLookupTLSA(ctx, "25", "tcp", rname)
+		if err != nil && !dns.IsNotFound(err) {
+			return nil, err
+		}
+		if ad && len(recs) != 0 {
+			// recs may be empty or contain only unusable records - this is
+			// okay per RFC 7672, no fallback to initial name is done.
+			c.c.log.Debugln("using", len(recs), "DANE records at", rname, "to authenticate", mx)
+			return recs, nil
+		}
+		// Per RFC 7672 Section 2.2 we interpret a non-authenticated RRset just
+		// like an empty RRset and fallback to trying original name.
+		c.c.log.Debugln("ignoring non-authenticated TLSA records for", rname)
+	}
+
+	// If initial name is not a CNAME or final canonical name is not "secure"
+	// - we consider TLSA under the initial name.
+	ad, recs, err := c.c.extResolver.AuthLookupTLSA(ctx, "25", "tcp", mx)
+	if err != nil && !dns.IsNotFound(err) {
+		return nil, err
+	}
+	if !ad {
+		c.c.log.Debugln("ignoring non-authenticated TLSA records for", mx)
+		return nil, nil
+	}
+
+	c.c.log.Debugln("using", len(recs), "DANE records at original name to authenticate", mx)
+	return recs, nil
+}
+
 func (c *daneDelivery) PrepareConn(ctx context.Context, mx string) {
 	// No DNSSEC support.
 	if c.c.extResolver == nil {
@@ -395,39 +467,7 @@ func (c *daneDelivery) PrepareConn(ctx context.Context, mx string) {
 	c.tlsaFut = future.New()
 
 	go func() {
-		adA, _, err := c.c.extResolver.AuthLookupIPAddr(ctx, mx)
-		if err != nil {
-			// This may indicate a bogus DNSSEC signature or other lookup issue
-			// (including non-existing domain).
-			c.tlsaFut.Set([]dns.TLSA(nil), err)
-			return
-		}
-		if !adA {
-			// If A/AAAA lookup is not DNSSEC-authenticated we assume the server cannot
-			// have TLSA record and skip trying to actually lookup TLSA
-			// to avoid hitting weird errors like SERVFAIL, NOTIMP
-			// e.g. see https://github.com/foxcpp/maddy/issues/287
-			c.tlsaFut.Set([]dns.TLSA(nil), nil)
-			return
-		}
-
-		ad, recs, err := c.c.extResolver.AuthLookupTLSA(ctx, "25", "tcp", mx)
-		if err != nil {
-			c.tlsaFut.Set([]dns.TLSA(nil), err)
-			return
-		}
-		if !ad {
-			// Per https://tools.ietf.org/html/rfc7672#section-2.2 we interpret
-			// a non-authenticated RRset just like an empty RRset. Side note:
-			// "bogus" signatures are expected to be caught by the upstream
-			// resolver.
-			c.tlsaFut.Set([]dns.TLSA(nil), err)
-			return
-		}
-
-		// recs can be empty indicating absence of records.
-
-		c.tlsaFut.Set(recs, err)
+		c.tlsaFut.Set(c.discoverTLSA(ctx, mx))
 	}()
 }
 

tests/t.go

@@ -93,7 +93,7 @@ func (t *T) DNS(zones map[string]mockdns.Zone) {
 		t.dnsServ.Close()
 	}
 
-	dnsServ, err := mockdns.NewServer(zones)
+	dnsServ, err := mockdns.NewServer(zones, false)
 	if err != nil {
 		t.Fatal("Test configuration failed:", err)
 	}