local unbound resolver fails @ DANE TLSA lookups; ok with external NS ?

Thu, 06 Oct 2022 09:34:08 -0700 

sending recent mail via my local mail server

        postfix 3.7.2

to

        cas...@state.gov

using local resolver

        unbound 1.16.2

i see in logs lots of these warnings/errors,

    2022-10-05T17:30:13.602980-04:00 mx03 postfix/smtp-out-ext/smtp[8484]: 
warning: TLS policy lookup for state.gov/christopher-ew.state.gov: TLSA lookup 
error for christopher-ew.state.gov:25
    2022-10-05T17:30:14.353543-04:00 mx03 postfix/smtp-out-ext/smtp[8484]: 
warning: DANE TLSA lookup problem: Host or domain name not found. Name service 
error for name=_25._tcp.stimson.state.gov type=TLSA: Host not found, try again

reading

    Problem with TLSA & CNAME Wildcard
     
https://mailing.postfix.users.narkive.com/VGejQATw/problem-with-tlsa-cname-wildcard

suggests a resolver problem

checking my local unbound resolver,

    dig +ad +noall +comment +ans +auth -t tlsa 
_25._tcp.christopher-ew.state.gov @127.0.0.1
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 491
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232

vs Cloudflare

    dig +ad +noall +comment +ans +auth -t tlsa 
_25._tcp.christopher-ew.state.gov @1.1.1.1
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64831
        ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232
        ;; AUTHORITY SECTION:
        state.gov.              900     IN      SOA     
o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900

or Google

        dig +ad +noall +comment +ans +auth -t tlsa 
_25._tcp.christopher-ew.state.gov @8.8.8.8
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52518
                ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
ADDITIONAL: 1

                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 512
                ;; AUTHORITY SECTION:
                state.gov.              900     IN      SOA     
o-bimc-dns001.grid.state.sbu. hostmaster.state.gov. 71488 10800 1080 2419200 900

seems it's my unbound config.

afaict i've no other resolver issues.

any hints as to cause/cure for this failing dane/tlsa query? or where/how to 
dig further?

Reply via email to