Maintained by: NLnet Labs

postbank.de / dslbank.de and DNSSEC and DANE

A. Schulze
Tue Feb 2 14:15:01 CET 2016


Hello,

postfix as MTA support DANE which rely on DNSSEC. I use unbound for  
this purpose.
I found my postfix could not deliver message to postbank.de and dslbank.de
I guess there is something wrong with their DNS Servers.

$ posttls-finger postbank.de
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name  
not found. Name service error for  
name=_25._tcp.mailrelay2.bonn.postbank.de type=TLSA: Host not found,  
try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name  
not found. Name service error for  
name=_25._tcp.mailrelay2.bonn.postbank.de type=TLSA: Host not found,  
try again
posttls-finger: Failed to establish session to postbank.de via  
mailrelay2.bonn.postbank.de: TLSA lookup error for  
mailrelay2.bonn.postbank.de:25
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name  
not found. Name service error for  
name=_25._tcp.mailrelay1.bonn.postbank.de type=TLSA: Host not found,  
try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name  
not found. Name service error for  
name=_25._tcp.mailrelay1.bonn.postbank.de type=TLSA: Host not found,  
try again
posttls-finger: Failed to establish session to postbank.de via  
mailrelay1.bonn.postbank.de: TLSA lookup error for  
mailrelay1.bonn.postbank.de:25

$ dig _25._tcp.mailrelay2.bonn.postbank.de. tlsa

; <<>> DiG 9.9.5-9+deb8u5-Debian <<>>  
_25._tcp.mailrelay2.bonn.postbank.de. tlsa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29288
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mailrelay2.bonn.postbank.de. IN TLSA

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Feb 02 14:04:08 CET 2016
;; MSG SIZE  rcvd: 65

But other people report they get NXDOMAIN and not SERVFAIL like I do.
(https://mail.sys4.de/mailman/private/dane-users/2016-February/thread.html)

So I like to ask if unbound may behave different then bind.

Just learned that both domain aren't configured perfect:
  - http://dnsviz.net/d/dslbank.de/dnssec/
  - http://dnsviz.net/d/postbank.de/dnssec/


Is there anything I could adjust by configuration?

Thanks
Andreas