Hello,
messages to bsws.de and yos.net (same mx) fail because unbound could not resolve the names.
http://dnsviz.net/d/yos.net/dnssec/ show some strange warnings.
I found two ways general to solve the problem:
- disable dnssec validation at all
- disable qname-minimisation
last resort: forward the domain to an other resolver
we run unblund-1.5.9 including that patch:
http://unbound.net/pipermail/unbound-users/2016-June/004379.html
Andreas
Hi Andreas,
The domain responds with a DNSSEC-signed NXDOMAIN for mx.bsws.de, and
thus a.mx.bsws.de cannot exist. With qname-minimisation unbound then
stops.
Qname minimisation in unbound assumes that dnssec signed domains will
do their NXDOMAIN correctly. (Note the replay possibility on that
NSEC3 signed domain to its subdomains). There are also various
internet drafts (RFCs) in progress that say that nodes under an
NXDOMAIN node do not exist.
So, these people should fix their implementation. It is not safe.
Someone may remove their MX (mail server) addresses, and gain DNSSEC
validity. And could do that too with TLSA and claim it was unsecure
(vis a vis TLSA mailserver security).
domain-insecure: "bsws.de" and yos.net may be a suitable workaround.
DNSSEC is broken for the domain.
Best regards, Wouter
W.C.A. Wijngaards via Unbound-users:
The domain responds with a DNSSEC-signed NXDOMAIN for mx.bsws.de, and
thus a.mx.bsws.de cannot exist. With qname-minimisation unbound then
stops.Qname minimisation in unbound assumes that dnssec signed domains will
do their NXDOMAIN correctly. (Note the replay possibility on that
NSEC3 signed domain to its subdomains). There are also various
internet drafts (RFCs) in progress that say that nodes under an
NXDOMAIN node do not exist.So, these people should fix their implementation. It is not safe.
Someone may remove their MX (mail server) addresses, and gain DNSSEC
validity. And could do that too with TLSA and claim it was unsecure
(vis a vis TLSA mailserver security).
thanks for the explanation
domain-insecure: "bsws.de" and yos.net may be a suitable workaround.
that alone does not help. I now forward the domain to an other, less restrictive resolver.
Andreas