Benny Pedersen <[email protected]> writes: > On 2016-02-03 07:26, Andreas Schulze wrote: > >>> i dont use unbound >> >> a feature in unbound called "" was the reason >> we now add an exeption to unbound and get also NXDOMAIN >> see >> https://unbound.net/pipermail/unbound-users/2016-February/004192.html >> >> unbound.conf: >> server: caps-whitelist: postbank.de >> >> (require unbound-1.5.4 or newer) > > another reason for not using unbound ?
The bug in the postbank.de servers will cause SERVFAIL with *any* DNSSEC validator unless you are careful to keep the query lower case only. You can easily verify this yourself. Simply query your validating resolver for a non-existing name in postbank.de, capitalizing one or ore characters in the query: bjorn@nemi:~$ dig ns5.Postbank.de ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> ns5.Postbank.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48848 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns5.Postbank.de. IN A ;; Query time: 1278 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 03 18:27:13 CET 2016 ;; MSG SIZE rcvd: 44 No unbound involved here: bjorn@nemi:~$ dig version.bind txt chaos ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> version.bind txt chaos ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44913 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.9.5-9+deb8u5-Debian" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 03 18:29:22 CET 2016 ;; MSG SIZE rcvd: 89 Bjørn
