On Thu, 19 Mar 2020 at 21:58, Greg Troxel <g...@lexort.com> wrote: > > On amachine that is up to date netbsd-8 amd64, I am having a mail > problem, and other than this problem works correctly. > > The machine runs named, and resolv.conf points to ::1. > > I email with several people at protonmail.ch, and have noticed messsages > sitting in the postfix transmit queue with complaints, variously: > > (Host or domain name not found. Name service error for > name=mailsec.protonmail.ch type=AAAA: Host not found, try again) > (delivery temporarily suspended: Host or domain name not found. Name > service error for name=mailsec.protonmail.ch type=AAAA: Host not found, try > again) > > When doing "dig protonmail.ch", I get SERVFAIL and see: > > Mar 19 17:46:55 foo named[4750]: query client=0x7a78c4b0c800 > thread=0x7a78c8385000 (protonmail.ch/ANY): query_find: unexpected error after > resuming: broken trust chain > > I also see > > Mar 19 17:46:28 foo named[4750]: validating mailsec.protonmail.ch/A: bad > cache hit (protonmail.ch/DNSKEY) > Mar 19 17:46:28 foo named[4750]: broken trust chain resolving > 'mailsec.protonmail.ch/A/IN': 185.70.40.19#53 > Mar 19 17:46:28 foo named[4750]: query client=0x7a78c7734800 > thread=0x7a78c8385000 (mailsec.protonmail.ch/A): query_find: unexpected error > after resuming: broken trust chain > Mar 19 17:46:28 foo named[4750]: validating protonmail.ch/SOA: bad cache > hit (protonmail.ch/DNSKEY) > Mar 19 17:46:28 foo named[4750]: validating > A18T1659TTNDNCA9ELRP0TQUCQDH3LD6.protonmail.ch/NSEC3: bad cache hit > (protonmail.ch/DNSKEY) > Mar 19 17:46:28 foo named[4750]: broken trust chain resolving > 'mailsec.protonmail.ch/AAAA/IN': 3.127.12.149#53 > Mar 19 17:46:28 foo named[4750]: query client=0x7a78c4b0b800 > thread=0x7a78c8385000 (mailsec.protonmail.ch/AAAA): query_find: unexpected > error after resuming: broken trust chain > Mar 19 17:46:28 foo named[4750]: validating protonmail.ch/SOA: bad cache > hit (protonmail.ch/DNSKEY) > Mar 19 17:46:28 foo named[4750]: validating > A18T1659TTNDNCA9ELRP0TQUCQDH3LD6.protonmail.ch/NSEC3: bad cache hit > (protonmail.ch/DNSKEY) > Mar 19 17:46:28 foo named[4750]: broken trust chain resolving > 'mailsec.protonmail.ch/AAAA/IN': 18.194.37.70#53 > Mar 19 17:46:28 foo named[4750]: query client=0x7a78c4713800 > thread=0x7a78c8387000 (mailsec.protonmail.ch/AAAA): query_find: unexpected > error after resuming: broken trust chain > > I did "ntpq -p" and my offsets are within +/- 10 ms. > > On a netbsd.org machine, things seem fine, and outgoing mail to > protonmail is delivered. > > On another netbsd-8 machine of mine, RPI3, in a different place, also > running named, I see the same problem > > Using a proprietary email service, mail is also delivered to protonmail. > > > So: > > If you have a netbsd box with named or some other resolver running, > does "dig protonmail.ch" work, and what about "dig mail.protonmail.ch > in a"?
$ uname -a NetBSD eee 8.99.2 NetBSD 8.99.2 (RPI) #0: Sun Sep 17 00:08:51 UTC 2017 sysbuild@ymir:/home/sysbuild/evbarm/obj/home/sysbuild/src/sys/arch/evbarm/compile/RPI evbarm $ dig protonmail.ch ; <<>> DiG 9.10.5-P2 <<>> protonmail.ch ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16621 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;protonmail.ch. IN A ;; ANSWER SECTION: protonmail.ch. 817 IN A 185.70.41.32 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 19 22:08:18 GMT 2020 ;; MSG SIZE rcvd: 58 $ dig mail.protonmail.ch in a ; <<>> DiG 9.10.5-P2 <<>> mail.protonmail.ch in a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59988 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.protonmail.ch. IN A ;; ANSWER SECTION: mail.protonmail.ch. 1062 IN A 185.70.40.103 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 19 22:09:08 GMT 2020 ;; MSG SIZE rcvd: 63 That's on my local unbound server. I set it up just for laughs more than a year ago and it hasn't stopped for a minute. $ uptime 10:11PM up 402 days, 12:10, 5 users, load averages: 0.00, 0.00, 0.00 On the original Raspberry PI model B... > > Do you think other places actually validate DNSSEC, to the point > where they do not return results if things are off? > > Do you think there is anything wrong with our named and dnssec root > key setup? > > Anything else I should be asking? > > Thanks, > Greg -- ----
