Issue DANE change Option 3 0 1 to 3 1 1 - DANE EE certificate does not match SHA2-256

[superfun2k23]

Server operating system version

Debian 12.2

Plesk version and microupdate number

18.0.57 #2

Hi,

I have a problem with DANE for few days now. I get some feedback from customers, that they can´t send Mails to my mailboxes.

They´re getting this Error:
DANE Security Alert: Unable to verify MX mail.xxxx.de (DANE-EE: DANE Certificate Association Data does not match client certificate (SHA2-256))

I´ve read, that with LetsEncrypt I should use Option 3 1 1 instead of 3 0 1, but where do I change this in Plesk?
Could this be the problem?

Because DNSSEC and DANE checks are fine and tell me, DANE EE certificate is OK

 

[AYamshanov]

Hi,

I´ve read, that with LetsEncrypt I should use Option 3 1 1 instead of 3 0 1, but where do I change this in Plesk?
Could this be the problem?

The options are depend of what value is used for the record. "3 0 1" is expected in this case.

They´re getting this Error:
DANE Security Alert: Unable to verify MX mail.xxxx.de (DANE-EE: DANE Certificate Association Data does not match client certificate (SHA2-256))

I would suggest to contact with Plesk Support to investigate what was happened and why.

Because DNSSEC and DANE checks are fine and tell me, DANE EE certificate is OK

It seems something happened during the certificate and TLSA records rolling-over. Now, when a new certificate was installed and TLSA-records were updated, everything started working normally again.

This roll-over is supported by Plesk and that is why I am asking to contact with the Plesk Support team to figure out how it is possible that the issue happened.

 

[superfun2k23]

You tell it right, it should work, updating keys work so far.. when I re-new DANE TSLA keys, everything work as expected..
Regarding Check a DANE SMTP Service Checkup everything works. (DANE TLSA 3 0 1 [d0bcebd1..]: OK matched EE certificate)

But still I get from some customers:
DANE Security Alert: Unable to verify MX mail.xxxx.de (DANE-EE: DANE Certificate Association Data does not match client certificate (SHA2-256))

I have a theory.. Can it be, the customers themself don´t have DNSSEC/DANE, so it fails?

 

[AYamshanov]

My theory is the customer uses old cached TLSA-records. While the cache is not expired, the customer is not receiving new TLSA-records (e.g: both, old and new TLSA-records; or just new TLSA-records) and that is a reason why a new certificate is not matched with cached TLSA-records.

 

[superfun2k23]

But where do they cache old keys? When I update the keys and test them online, they are working within seconds

 

[AYamshanov]

Let's say you have Plesk server in Europe.

An external mail system located in Canada wants to send an email to you server. The external server asks external DNS server (provided by Internet Service Provider, also in Canada) for TLSA-records. External DNS caches the TLSA-records for some time. If the external mail server sends another email to you server, external DNS provides required records from the cache of DNS service in Canada.