-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Andreas,
The domain responds with a DNSSEC-signed NXDOMAIN for mx.bsws.de, and thus a.mx.bsws.de cannot exist. With qname-minimisation unbound then stops. Qname minimisation in unbound assumes that dnssec signed domains will do their NXDOMAIN correctly. (Note the replay possibility on that NSEC3 signed domain to its subdomains). There are also various internet drafts (RFCs) in progress that say that nodes under an NXDOMAIN node do not exist. So, these people should fix their implementation. It is not safe. Someone may remove their MX (mail server) addresses, and gain DNSSEC validity. And could do that too with TLSA and claim it was unsecure (vis a vis TLSA mailserver security). domain-insecure: "bsws.de" and yos.net may be a suitable workaround. DNSSEC is broken for the domain. Best regards, Wouter On 26/08/16 14:06, A. Schulze via Unbound-users wrote: > Hello, > > messages to bsws.de and yos.net (same mx) fail because unbound > could not resolve the names. http://dnsviz.net/d/yos.net/dnssec/ > show some strange warnings. > > I found two ways general to solve the problem: - disable dnssec > validation at all - disable qname-minimisation last resort: forward > the domain to an other resolver > > we run unblund-1.5.9 including that patch: > http://unbound.net/pipermail/unbound-users/2016-June/004379.html > > Andreas > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXwDVuAAoJEJ9vHC1+BF+NHUYP/03OVY4zfaB9bo44j7T7sAid 5pl4b7l53VzZtkIQzRIihFvw+OitJk7caFqaXQioHldRB9Ts8nX6jVm4WTf/jG4F utCq1Dyy5/pbZTTNXE0mIy+n2bE+AMJXFrxGo5GkzVzt1Ulf6ZTqofPcL8vtULgK U1dZ8qZua2dymJ79XY8TEBE2WWxoPi2B3MZvr1uSwVWL68ZYigus9yTYXO6C2WT8 ZNbOIMRV0q55zoq99CzkBhuPSdSQSbrAsnx8WgBywbbKprNTFjbdZX3xzKNwPrkS h49AjRj7vfjt9HWuVaLmfnPPVEhqEHVupI/SYCWC9GGMYJ5SBNTdyBhsNcKDHgD1 J6NAmdxbn0YXUOoHvFBXUv9A1SFQtSeyhTxpDWUhIkgr0U4dWmjPgMWowbpKUuIa hZyBBXQW+HsjmsxML0LE6jsGkPlcLIQhnR22XRuC/HKiiZ0ocLNmLY7E4udMNjh2 4gue0WN5X20F9sq0zsbSFTY/3IcJ26f2qRthEM1pFEqprXjyNM0dLLDHtWza5wnO kYUnU4SzzasmS9B7YuB22T7OZ3iJLhY9DEC7o5Z95Cou8n6OeMCUIufupHhvcE4a rREPRnT4cQ/svADvWhmHfogie9mHpI6ifYtxJzKmBqDsQQnBmrNgB2QpkM3zw8e0 EGHjoFMM8zfUrtlfE6gE =m4oS -----END PGP SIGNATURE-----
