-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Dimitar,
The query work for me, both with and without qname minimisation. The name v1x2s.rf-adfe2ko9.senderbase.org. returns NXDOMAIN and this is an error. But qname minimisation works around it (by assuming non-DNSSEC servers cannot get NXDOMAIN right). But with use-caps-for-id: yes I get NXDOMAIN as well. The server cannot handle the fact that DNS does not distinguish between uppercase and lowercase and treats those names differently. You could try to get them to fix the software (and also for the NXDOMAIN problem noted above). Or you can caps-whitelist: "senderbase.org" in unbound.conf that will omit the dns-0x20 upper-lowercase changes to that domain name. Best regards, Wouter On 18/07/16 09:20, Dimitar Gerasimov via Unbound-users wrote: > Hi all, > > Long story short - we have Cisco Ironport email security appliance. > This device filter emails by reputation filtering. To do this, the > device send dns TXT request to senderbase.org, and based on answer > make decisions about filtering mails. > > But that is not working through Unbound . > > This is request and answer using Google free DNS : > > dig @8.8.8.8 txt > 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen derbase.org > > > > ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 txt > 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen derbase.org > > ; (1 server found) ;; global options: +cmd ;; Got answer: ;; > ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3460 ;; flags: qr > rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; > QUESTION SECTION: > ;1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.se nderbase.org. > > IN TXT > > ;; ANSWER SECTION: > 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen derbase.org. > > 999 IN TXT "|0=2.5|1=0.0|2=0.4399|3=0.5|7=AvNDhLIaN|10=0,0|" > > ;; Query time: 195 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon > Jul 18 08:29:16 EEST 2016 ;; MSG SIZE rcvd: 170 > > As we can see, the request has a ANSWER SECTION, and Cisco Ironport > use this numbers for blocking e-mails (domains). > > This is request and answer using Unbound > > dig @UnboundIP txt > 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen derbase.org > > > > ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @UnboundIP txt > 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen derbase.org > > ; (1 server found) ;; global options: +cmd ;; Got answer: ;; > ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5044 ;; flags: qr > rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1480 ;; > QUESTION SECTION: > ;1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.se nderbase.org. > > IN TXT > > ;; Query time: 235 msec ;; SERVER: UnboundIP#53(UnboundIP) ;; WHEN: > Mon Jul 18 09:53:42 EEST 2016 ;; MSG SIZE rcvd: 110 > > > Unbound return ANSWER NXDOMAIN. Can someone help me with this ? > Thanks. > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXjIsSAAoJEJ9vHC1+BF+NsLsQAICCyW2CbAuPU9eqHU00dC8o rvYdIz1+KwZs7+ES9cYi8NB3cGw8JlPv+uFZFcA/k4kg5v/W7DiHtGVwvHZPxFkI hsL53ngk62so+jFkXcn59o2x/d3J/axAJbCAdyp6R7IIyTLBDajk5zNHHGeGNK+h mbqQLOPRNroHR0mY+jHHsdzDtNAnKvziWfIPsflKoRkLk/2fZK/uJpltp3Pv/ad4 J6K0ygRNUPRPwXZknpobfhm67ADexU8sBeK/bnA+4GkV00F8W49pAPhY+5hX/j5D P+uFAm9e3F/s0qZ4yxFeXBKeURma42AoobKRh0TXdedgw8ltiLJi00ULV+LB0IPi fmkgqAtlTWCHx4FkbABmVtBtm2EGEJC867nHHTOZCtX0Q1hVuBMTTxkL7PWYtqKT iyI3O/6TUUErLRgoc5ZrcPKOPBsKELZBpxXxrabv3+iB51hkxK2CGxUclR+/FG4U FhN1H0aZ0xsfG+f4k1azePcZGc8e01p4sxvBrniE8YG4YVkqTjI849N82t/0qFxC LcVwNTJ8mzxJNNV3UqtPGzgjjKYVeis5pzVxe1/YXZUxj3kEyJxaX45yhemxj8x+ Kal347Jln8t1y8gHd/eRyfD/Qc9r/8ww4xzcdLYIwA9lnKVfNQ4w+OiIjiy5EWfJ +vscS8bF4NrWDQM2dLZ1 =zBjQ -----END PGP SIGNATURE-----
