Re: postbank.de / dslbank.de and DNSSEC and DANE

2016-02-02 Thread Daisuke HIGASHI via Unbound-users
Hi,

All postbank.de nameservers are sending malformed UDP reply with TC.
But my Unbound (1.5.7) resolver retries query via TCP  to get correct answer.

Your firewall is dropping malformed DNS messages or TCP DNS queries?


$ dig @ns3.postbank.de. _25._tcp.mailrelay2.bonn.postbank.de +dnssec
+norec +ignore
;; *** Warning: Message parser reports malformed message packet. ***

; <<>> DiG 9.9.5-3-Ubuntu <<>> @ns3.postbank.de.
_25._tcp.mailrelay2.bonn.postbank.de +dnssec +norec +ignore
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44126
;; flags: qr aa tc ad; QUERY: 1, ANSWER: 0, AUTHORITY: 12, ADDITIONAL: 1
;; WARNING: Message has 53 extra bytes at end

;; QUESTION SECTION:
;_25._tcp.mailrelay2.bonn.postbank.de. IN A



2016-02-02 22:15 GMT+09:00 A. Schulze via Unbound-users
:
>
> Hello,
>
> postfix as MTA support DANE which rely on DNSSEC. I use unbound for this
> purpose.
> I found my postfix could not deliver message to postbank.de and dslbank.de
> I guess there is something wrong with their DNS Servers.
>
> $ posttls-finger postbank.de
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to postbank.de via
> mailrelay2.bonn.postbank.de: TLSA lookup error for
> mailrelay2.bonn.postbank.de:25
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to postbank.de via
> mailrelay1.bonn.postbank.de: TLSA lookup error for
> mailrelay1.bonn.postbank.de:25
>
> $ dig _25._tcp.mailrelay2.bonn.postbank.de. tlsa
>
> ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> _25._tcp.mailrelay2.bonn.postbank.de.
> tlsa
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29288
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;_25._tcp.mailrelay2.bonn.postbank.de. IN TLSA
>
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Tue Feb 02 14:04:08 CET 2016
> ;; MSG SIZE  rcvd: 65
>
> But other people report they get NXDOMAIN and not SERVFAIL like I do.
> (https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html)
>
> So I like to ask if unbound may behave different then bind.
>
> Just learned that both domain aren't configured perfect:
>  - http://dnsviz.net/d/dslbank.de/dnssec/
>  - http://dnsviz.net/d/postbank.de/dnssec/
>
>
> Is there anything I could adjust by configuration?
>
> Thanks
> Andreas
>
>


Re: postbank.de / dslbank.de and DNSSEC and DANE

2016-02-02 Thread Tony Finch via Unbound-users
A. Schulze via Unbound-users  wrote:

> But other people report they get NXDOMAIN and not SERVFAIL like I do.
> (https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html)
>
> So I like to ask if unbound may behave different then bind.

Yes, dig _25._tcp.mailrelay2.bonn.postbank.de. tlsa works for me with
BIND. However dig +dnssec *.postbank.de. fails, so as you say, all is not
well.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Hebrides, Bailey: Westerly 7 to severe gale 9 at first in south, otherwise
cyclonic becoming northerly 5 to 7. Very high, becoming very rough or high.
Rain, then wintry showers. Moderate, occasionally poor.