getting NXDOMAIN for existing entry

Nevel Gandish koantisch at googlemail.com
Wed Jun 12 04:13:27 UTC 2019 

Hello,

I'm trying to test my mail server with https://havedane.net but it will
send mails to the subdomain with invalid DANE entry.
Reason seems, that my local unbound (1.9.0) installation gives NXDOMAIN
when looking up _25._tcp.wrong.havedane.net:

; <<>> DiG 9.10.3-P4-Debian <<>> _25._tcp.wrong.havedane.net TLSA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29911
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_25._tcp.wrong.havedane.net.   IN      TLSA

;; AUTHORITY SECTION:
havedane.net.           103     IN      SOA     ns091.auroradns.eu.
admin.auroradns.eu. 2019011601 86400 7200 604800 300


Unbound log:
Jun 11 20:53:27 unbound[8830:0] info: reply from <havedane.net.>
185.103.243.231#53
Jun 11 20:53:27 unbound[8830:0] info: query response was NXDOMAIN ANSWER
Jun 11 20:53:27 unbound[8830:0] info: 127.0.0.1 _25._tcp.wrong.havedane.net.
A IN NXDOMAIN 0.451754 0 116


But this TLSA RR exists and it's found when using any other NS like here
(or with @46.182.19.48 or @9.9.9.9 or whatever):

; <<>> DiG 9.10.3-P4-Debian <<>> _25._tcp.wrong.havedane.net TLSA @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22860
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_25._tcp.wrong.havedane.net.   IN      TLSA

;; ANSWER SECTION:
_25._tcp.wrong.havedane.net. 3599 IN    TLSA    2 1 1
27B694B51D1FEF8885372ACFB39193759722B736B0426864DC1C79D0 651FEF72
_25._tcp.wrong.havedane.net. 3599 IN    TLSA    3 1 1
553ACF88F9EE18CCAAE635CA540F32CB84ACA77C47916682BCB542D5 1DAA871E


I don't know what to look for in my installation or configuration. What
results do you get when running that request?

Bye,
Nevel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190612/36f311df/attachment.htm>

More information about the Unbound-users mailing list