On Tue, Feb 2, 2016 at 11:59 AM, A. Schulze via Unbound-users <
unbound-users@unbound.net> wrote:
>
> if I disable "use-caps-for-id" I get NXDOMAIN from unbound.
> so "caps-whitelist: postbank.de" solved the issue for me.
>
>
Looks like the postbank.de servers aren't performing a proper NSEC3
A. Schulze via Unbound-users wrote:
> But other people report they get NXDOMAIN and not SERVFAIL like I do.
> (https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html)
>
> So I like to ask if unbound may behave different then bind.
Yes, dig
Daisuke HIGASHI:
All postbank.de nameservers are sending malformed UDP reply with TC.
But my Unbound (1.5.7) resolver retries query via TCP to get correct answer.
Your firewall is dropping malformed DNS messages or TCP DNS queries?
not that I know / no firewall in the way
and tcp is