Re: SOLVED: postbank.de / dslbank.de and DNSSEC and DANE

2016-02-02 Thread Casey Deccio via Unbound-users 
On Tue, Feb 2, 2016 at 11:59 AM, A. Schulze via Unbound-users <
unbound-users@unbound.net> wrote:

>
> if I disable "use-caps-for-id" I get NXDOMAIN from unbound.
> so "caps-whitelist: postbank.de" solved the issue for me.
>
>
Looks like the postbank.de servers aren't performing a proper NSEC3 hash of
the mixed-case query name, so the provided closest encloser proof fails:

$ dig +noall +authority +dnssec @ns1.postbank.de foobar.pOstbank.de | grep
'IN NSEC3'
8opkcg718inciqib0r7f67m9g4o4gh71.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 8OPKCG718INCIQIB0R7F67M9G4O4GH73
v7ec9togm33vtn1pqin295lhh5tufuir.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 V7EC9TOGM33VTN1PQIN295LHH5TUFUIS
kt61b6gn579tvif3qsltnjg3f1f8umc6.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 KT61B6GN579TVIF3QSLTNJG3F1F8UMC8
$ nsec3hash E80EE91FDC6B4795 1 1 pOstbank.de
RIN3S92AN87PLVF22QR8PDRD0SA7KI5G (salt=E80EE91FDC6B4795, hash=1,
iterations=1)

But:

$ dig +noall +authority +dnssec @ns1.postbank.de foobar.postbank.de | grep
'IN NSEC3'
rin3s92an87plvf22qr8pdrd0sa7ki5g.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 RIN3S92AN87PLVF22QR8PDRD0SA7KI5H
33okvta5htf2hmv16mrerpavmogho4ug.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 33OKVTA5HTF2HMV16MRERPAVMOGHO4UI
262b532h7r3gsgleslnb9f9fmumi3qb1.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 262B532H7R3GSGLESLNB9F9FMUMI3QB3
$ nsec3hash E80EE91FDC6B4795 1 1 postbank.de
RIN3S92AN87PLVF22QR8PDRD0SA7KI5G (salt=E80EE91FDC6B4795, hash=1,
iterations=1)

Cheers,
Casey

Re: postbank.de / dslbank.de and DNSSEC and DANE

2016-02-02 Thread Tony Finch via Unbound-users 
A. Schulze via Unbound-users  wrote:

> But other people report they get NXDOMAIN and not SERVFAIL like I do.
> (https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html)
>
> So I like to ask if unbound may behave different then bind.

Yes, dig _25._tcp.mailrelay2.bonn.postbank.de. tlsa works for me with
BIND. However dig +dnssec *.postbank.de. fails, so as you say, all is not
well.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Hebrides, Bailey: Westerly 7 to severe gale 9 at first in south, otherwise
cyclonic becoming northerly 5 to 7. Very high, becoming very rough or high.
Rain, then wintry showers. Moderate, occasionally poor.

SOLVED: postbank.de / dslbank.de and DNSSEC and DANE

2016-02-02 Thread A. Schulze via Unbound-users 


Daisuke HIGASHI:


All postbank.de nameservers are sending malformed UDP reply with TC.
But my Unbound (1.5.7) resolver retries query via TCP  to get correct answer.

Your firewall is dropping malformed DNS messages or TCP DNS queries?

not that I know / no firewall in the way
and tcp is allowed, too

BUT:
if I disable "use-caps-for-id" I get NXDOMAIN from unbound.
so "caps-whitelist: postbank.de" solved the issue for me.

Andreas