Re: SOLVED: postbank.de / dslbank.de and DNSSEC and DANE

On Tue, Feb 2, 2016 at 11:59 AM, A. Schulze via Unbound-users < unbound-users@unbound.net> wrote: > > if I disable "use-caps-for-id" I get NXDOMAIN from unbound. > so "caps-whitelist: postbank.de" solved the issue for me. > > Looks like the postbank.de servers aren't performing a proper NSEC3

Re: postbank.de / dslbank.de and DNSSEC and DANE

A. Schulze via Unbound-users wrote: > But other people report they get NXDOMAIN and not SERVFAIL like I do. > (https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html) > > So I like to ask if unbound may behave different then bind. Yes, dig

SOLVED: postbank.de / dslbank.de and DNSSEC and DANE

Daisuke HIGASHI: All postbank.de nameservers are sending malformed UDP reply with TC. But my Unbound (1.5.7) resolver retries query via TCP to get correct answer. Your firewall is dropping malformed DNS messages or TCP DNS queries? not that I know / no firewall in the way and tcp is