Hi,
All postbank.de nameservers are sending malformed UDP reply with TC.
But my Unbound (1.5.7) resolver retries query via TCP to get correct answer.
Your firewall is dropping malformed DNS messages or TCP DNS queries?
$ dig @ns3.postbank.de. _25._tcp.mailrelay2.bonn.postbank.de +dnssec
+norec +ignore
;; *** Warning: Message parser reports malformed message packet. ***
; <<>> DiG 9.9.5-3-Ubuntu <<>> @ns3.postbank.de.
_25._tcp.mailrelay2.bonn.postbank.de +dnssec +norec +ignore
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44126
;; flags: qr aa tc ad; QUERY: 1, ANSWER: 0, AUTHORITY: 12, ADDITIONAL: 1
;; WARNING: Message has 53 extra bytes at end
;; QUESTION SECTION:
;_25._tcp.mailrelay2.bonn.postbank.de. IN A
2016-02-02 22:15 GMT+09:00 A. Schulze via Unbound-users
:
>
> Hello,
>
> postfix as MTA support DANE which rely on DNSSEC. I use unbound for this
> purpose.
> I found my postfix could not deliver message to postbank.de and dslbank.de
> I guess there is something wrong with their DNS Servers.
>
> $ posttls-finger postbank.de
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to postbank.de via
> mailrelay2.bonn.postbank.de: TLSA lookup error for
> mailrelay2.bonn.postbank.de:25
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to postbank.de via
> mailrelay1.bonn.postbank.de: TLSA lookup error for
> mailrelay1.bonn.postbank.de:25
>
> $ dig _25._tcp.mailrelay2.bonn.postbank.de. tlsa
>
> ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> _25._tcp.mailrelay2.bonn.postbank.de.
> tlsa
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29288
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;_25._tcp.mailrelay2.bonn.postbank.de. IN TLSA
>
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Tue Feb 02 14:04:08 CET 2016
> ;; MSG SIZE rcvd: 65
>
> But other people report they get NXDOMAIN and not SERVFAIL like I do.
> (https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html)
>
> So I like to ask if unbound may behave different then bind.
>
> Just learned that both domain aren't configured perfect:
> - http://dnsviz.net/d/dslbank.de/dnssec/
> - http://dnsviz.net/d/postbank.de/dnssec/
>
>
> Is there anything I could adjust by configuration?
>
> Thanks
> Andreas
>
>