
All postbank.de nameservers are sending malformed UDP reply with TC.
But my Unbound (1.5.7) resolver retries query via TCP  to get correct answer.

Your firewall is dropping malformed DNS messages or TCP DNS queries?

$ dig @ns3.postbank.de. _25._tcp.mailrelay2.bonn.postbank.de +dnssec
+norec +ignore
;; *** Warning: Message parser reports malformed message packet. ***

; <<>> DiG 9.9.5-3-Ubuntu <<>> @ns3.postbank.de.
_25._tcp.mailrelay2.bonn.postbank.de +dnssec +norec +ignore
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44126
;; flags: qr aa tc ad; QUERY: 1, ANSWER: 0, AUTHORITY: 12, ADDITIONAL: 1
;; WARNING: Message has 53 extra bytes at end

;_25._tcp.mailrelay2.bonn.postbank.de. IN A

2016-02-02 22:15 GMT+09:00 A. Schulze via Unbound-users
> Hello,
> postfix as MTA support DANE which rely on DNSSEC. I use unbound for this
> purpose.
> I found my postfix could not deliver message to postbank.de and dslbank.de
> I guess there is something wrong with their DNS Servers.
> $ posttls-finger postbank.de
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to postbank.de via
> mailrelay2.bonn.postbank.de: TLSA lookup error for
> mailrelay2.bonn.postbank.de:25
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de
> type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to postbank.de via
> mailrelay1.bonn.postbank.de: TLSA lookup error for
> mailrelay1.bonn.postbank.de:25
> $ dig _25._tcp.mailrelay2.bonn.postbank.de. tlsa
> ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> _25._tcp.mailrelay2.bonn.postbank.de.
> tlsa
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29288
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ; EDNS: version: 0, flags:; udp: 4096
> ;_25._tcp.mailrelay2.bonn.postbank.de. IN TLSA
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Tue Feb 02 14:04:08 CET 2016
> ;; MSG SIZE  rcvd: 65
> But other people report they get NXDOMAIN and not SERVFAIL like I do.
> (https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html)
> So I like to ask if unbound may behave different then bind.
> Just learned that both domain aren't configured perfect:
>  - http://dnsviz.net/d/dslbank.de/dnssec/
>  - http://dnsviz.net/d/postbank.de/dnssec/
> Is there anything I could adjust by configuration?
> Thanks
> Andreas

Reply via email to