SOLVED: postbank.de / dslbank.de and DNSSEC and DANE
sca at andreasschulze.de
Tue Feb 2 16:59:45 UTC 2016
> All postbank.de nameservers are sending malformed UDP reply with TC.
> But my Unbound (1.5.7) resolver retries query via TCP to get correct answer.
> Your firewall is dropping malformed DNS messages or TCP DNS queries?
not that I know / no firewall in the way
and tcp is allowed, too
if I disable "use-caps-for-id" I get NXDOMAIN from unbound.
so "caps-whitelist: postbank.de" solved the issue for me.
More information about the Unbound-users