cannot resolv a.mx.bsws.de
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Fri Aug 26 12:26:27 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Andreas,
The domain responds with a DNSSEC-signed NXDOMAIN for mx.bsws.de, and
thus a.mx.bsws.de cannot exist. With qname-minimisation unbound then
stops.
Qname minimisation in unbound assumes that dnssec signed domains will
do their NXDOMAIN correctly. (Note the replay possibility on that
NSEC3 signed domain to its subdomains). There are also various
internet drafts (RFCs) in progress that say that nodes under an
NXDOMAIN node do not exist.
So, these people should fix their implementation. It is not safe.
Someone may remove their MX (mail server) addresses, and gain DNSSEC
validity. And could do that too with TLSA and claim it was unsecure
(vis a vis TLSA mailserver security).
domain-insecure: "bsws.de" and yos.net may be a suitable workaround.
DNSSEC is broken for the domain.
Best regards, Wouter
On 26/08/16 14:06, A. Schulze via Unbound-users wrote:
> Hello,
>
> messages to bsws.de and yos.net (same mx) fail because unbound
> could not resolve the names. http://dnsviz.net/d/yos.net/dnssec/
> show some strange warnings.
>
> I found two ways general to solve the problem: - disable dnssec
> validation at all - disable qname-minimisation last resort: forward
> the domain to an other resolver
>
> we run unblund-1.5.9 including that patch:
> http://unbound.net/pipermail/unbound-users/2016-June/004379.html
>
> Andreas
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXwDVuAAoJEJ9vHC1+BF+NHUYP/03OVY4zfaB9bo44j7T7sAid
5pl4b7l53VzZtkIQzRIihFvw+OitJk7caFqaXQioHldRB9Ts8nX6jVm4WTf/jG4F
utCq1Dyy5/pbZTTNXE0mIy+n2bE+AMJXFrxGo5GkzVzt1Ulf6ZTqofPcL8vtULgK
U1dZ8qZua2dymJ79XY8TEBE2WWxoPi2B3MZvr1uSwVWL68ZYigus9yTYXO6C2WT8
ZNbOIMRV0q55zoq99CzkBhuPSdSQSbrAsnx8WgBywbbKprNTFjbdZX3xzKNwPrkS
h49AjRj7vfjt9HWuVaLmfnPPVEhqEHVupI/SYCWC9GGMYJ5SBNTdyBhsNcKDHgD1
J6NAmdxbn0YXUOoHvFBXUv9A1SFQtSeyhTxpDWUhIkgr0U4dWmjPgMWowbpKUuIa
hZyBBXQW+HsjmsxML0LE6jsGkPlcLIQhnR22XRuC/HKiiZ0ocLNmLY7E4udMNjh2
4gue0WN5X20F9sq0zsbSFTY/3IcJ26f2qRthEM1pFEqprXjyNM0dLLDHtWza5wnO
kYUnU4SzzasmS9B7YuB22T7OZ3iJLhY9DEC7o5Z95Cou8n6OeMCUIufupHhvcE4a
rREPRnT4cQ/svADvWhmHfogie9mHpI6ifYtxJzKmBqDsQQnBmrNgB2QpkM3zw8e0
EGHjoFMM8zfUrtlfE6gE
=m4oS
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list