local unbound resolver fails @ DANE TLSA lookups; ok with external NS ?

PGNet Dev pgnet.dev at gmail.com
Thu Oct 6 16:33:33 UTC 2022 

sending recent mail via my local mail server

	postfix 3.7.2

to

	CASTEP at state.gov

using local resolver

	unbound 1.16.2

i see in logs lots of these warnings/errors,

     2022-10-05T17:30:13.602980-04:00 mx03 postfix/smtp-out-ext/smtp[8484]: warning: TLS policy lookup for state.gov/christopher-ew.state.gov: TLSA lookup error for christopher-ew.state.gov:25
     2022-10-05T17:30:14.353543-04:00 mx03 postfix/smtp-out-ext/smtp[8484]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.stimson.state.gov type=TLSA: Host not found, try again

reading

     Problem with TLSA & CNAME Wildcard
      https://mailing.postfix.users.narkive.com/VGejQATw/problem-with-tlsa-cname-wildcard

suggests a resolver problem

checking my local unbound resolver,

     dig +ad +noall +comment +ans +auth -t tlsa _25._tcp.christopher-ew.state.gov @127.0.0.1
         ;; Got answer:
         ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 491
         ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

         ;; OPT PSEUDOSECTION:
         ; EDNS: version: 0, flags:; udp: 1232

vs Cloudflare

     dig +ad +noall +comment +ans +auth -t tlsa _25._tcp.christopher-ew.state.gov @1.1.1.1
         ;; Got answer:
         ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64831
         ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

         ;; OPT PSEUDOSECTION:
         ; EDNS: version: 0, flags:; udp: 1232
         ;; AUTHORITY SECTION:
         state.gov.              900     IN      SOA     o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900

or Google

	dig +ad +noall +comment +ans +auth -t tlsa _25._tcp.christopher-ew.state.gov @8.8.8.8
		;; Got answer:
		;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52518
		;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

		;; OPT PSEUDOSECTION:
		; EDNS: version: 0, flags:; udp: 512
		;; AUTHORITY SECTION:
		state.gov.              900     IN      SOA     o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900

seems it's my unbound config.

afaict i've no other resolver issues.

any hints as to cause/cure for this failing dane/tlsa query? or where/how to dig further?

More information about the Unbound-users mailing list