cannot resolv a.mx.bsws.de
A. Schulze
sca at andreasschulze.de
Fri Aug 26 12:54:16 UTC 2016
W.C.A. Wijngaards via Unbound-users:
> The domain responds with a DNSSEC-signed NXDOMAIN for mx.bsws.de, and
> thus a.mx.bsws.de cannot exist. With qname-minimisation unbound then
> stops.
>
> Qname minimisation in unbound assumes that dnssec signed domains will
> do their NXDOMAIN correctly. (Note the replay possibility on that
> NSEC3 signed domain to its subdomains). There are also various
> internet drafts (RFCs) in progress that say that nodes under an
> NXDOMAIN node do not exist.
>
> So, these people should fix their implementation. It is not safe.
> Someone may remove their MX (mail server) addresses, and gain DNSSEC
> validity. And could do that too with TLSA and claim it was unsecure
> (vis a vis TLSA mailserver security).
thanks for the explanation
> domain-insecure: "bsws.de" and yos.net may be a suitable workaround.
that alone does not help. I now forward the domain to an other, less
restrictive resolver.
Andreas
More information about the Unbound-users
mailing list