Maintained by: NLnet Labs

SOLVED: postbank.de / dslbank.de and DNSSEC and DANE

A. Schulze
Tue Feb 2 17:59:45 CET 2016


Daisuke HIGASHI:

> All postbank.de nameservers are sending malformed UDP reply with TC.
> But my Unbound (1.5.7) resolver retries query via TCP  to get correct answer.
>
> Your firewall is dropping malformed DNS messages or TCP DNS queries?
not that I know / no firewall in the way
and tcp is allowed, too

BUT:
if I disable "use-caps-for-id" I get NXDOMAIN from unbound.
so "caps-whitelist: postbank.de" solved the issue for me.

Andreas