postbank.de / dslbank.de and DNSSEC and DANE

A_Schulze · February 2, 2016, 1:15pm

Hello,

postfix as MTA support DANE which rely on DNSSEC. I use unbound for this purpose.
I found my postfix could not deliver message to postbank.de and dslbank.de
I guess there is something wrong with their DNS Servers.

$ posttls-finger postbank.de
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de type=TLSA: Host not found, try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de type=TLSA: Host not found, try again
posttls-finger: Failed to establish session to postbank.de via mailrelay2.bonn.postbank.de: TLSA lookup error for mailrelay2.bonn.postbank.de:25
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de type=TLSA: Host not found, try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de type=TLSA: Host not found, try again
posttls-finger: Failed to establish session to postbank.de via mailrelay1.bonn.postbank.de: TLSA lookup error for mailrelay1.bonn.postbank.de:25

$ dig _25._tcp.mailrelay2.bonn.postbank.de. tlsa

; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> _25._tcp.mailrelay2.bonn.postbank.de. tlsa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29288
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mailrelay2.bonn.postbank.de. IN TLSA

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Feb 02 14:04:08 CET 2016
;; MSG SIZE rcvd: 65

But other people report they get NXDOMAIN and not SERVFAIL like I do.
(https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html)

So I like to ask if unbound may behave different then bind.

Just learned that both domain aren't configured perfect:
- http://dnsviz.net/d/dslbank.de/dnssec/
- http://dnsviz.net/d/postbank.de/dnssec/

Is there anything I could adjust by configuration?

Thanks
Andreas

Tony_Finch · February 2, 2016, 2:57pm

Yes, dig _25._tcp.mailrelay2.bonn.postbank.de. tlsa works for me with
BIND. However dig +dnssec *.postbank.de. fails, so as you say, all is not
well.

Tony.

hdais · February 2, 2016, 4:28pm

Hi,

All postbank.de nameservers are sending malformed UDP reply with TC.
But my Unbound (1.5.7) resolver retries query via TCP to get correct answer.

Your firewall is dropping malformed DNS messages or TCP DNS queries?

A_Schulze · February 2, 2016, 4:59pm

Daisuke HIGASHI:

All postbank.de nameservers are sending malformed UDP reply with TC.
But my Unbound (1.5.7) resolver retries query via TCP to get correct answer.

Your firewall is dropping malformed DNS messages or TCP DNS queries?

not that I know / no firewall in the way
and tcp is allowed, too

BUT:
if I disable "use-caps-for-id" I get NXDOMAIN from unbound.
so "caps-whitelist: postbank.de" solved the issue for me.

Andreas

Casey_Deccio · February 2, 2016, 6:45pm

Looks like the postbank.de servers aren't performing a proper NSEC3 hash of
the mixed-case query name, so the provided closest encloser proof fails:

$ dig +noall +authority +dnssec @ns1.postbank.de foobar.pOstbank.de | grep
'IN NSEC3'
8opkcg718inciqib0r7f67m9g4o4gh71.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 8OPKCG718INCIQIB0R7F67M9G4O4GH73
v7ec9togm33vtn1pqin295lhh5tufuir.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 V7EC9TOGM33VTN1PQIN295LHH5TUFUIS
kt61b6gn579tvif3qsltnjg3f1f8umc6.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 KT61B6GN579TVIF3QSLTNJG3F1F8UMC8
$ nsec3hash E80EE91FDC6B4795 1 1 pOstbank.de
RIN3S92AN87PLVF22QR8PDRD0SA7KI5G (salt=E80EE91FDC6B4795, hash=1,
iterations=1)

But:

$ dig +noall +authority +dnssec @ns1.postbank.de foobar.postbank.de | grep
'IN NSEC3'
rin3s92an87plvf22qr8pdrd0sa7ki5g.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 RIN3S92AN87PLVF22QR8PDRD0SA7KI5H
33okvta5htf2hmv16mrerpavmogho4ug.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 33OKVTA5HTF2HMV16MRERPAVMOGHO4UI
262b532h7r3gsgleslnb9f9fmumi3qb1.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 262B532H7R3GSGLESLNB9F9FMUMI3QB3
$ nsec3hash E80EE91FDC6B4795 1 1 postbank.de
RIN3S92AN87PLVF22QR8PDRD0SA7KI5G (salt=E80EE91FDC6B4795, hash=1,
iterations=1)

Cheers,
Casey