W.C.A. Wijngaards via Unbound-users:
The domain responds with a DNSSEC-signed NXDOMAIN for mx.bsws.de, and
thus a.mx.bsws.de cannot exist. With qname-minimisation unbound then
stops.
Qname minimisation in unbound assumes that dnssec signed domains will
do their NXDOMAIN correctly. (Note the replay possibility on that
NSEC3 signed domain to its subdomains). There are also various
internet drafts (RFCs) in progress that say that nodes under an
NXDOMAIN node do not exist.
So, these people should fix their implementation. It is not safe.
Someone may remove their MX (mail server) addresses, and gain DNSSEC
validity. And could do that too with TLSA and claim it was unsecure
(vis a vis TLSA mailserver security).
thanks for the explanation
domain-insecure: "bsws.de" and yos.net may be a suitable workaround.
that alone does not help. I now forward the domain to an other, less
restrictive resolver.
Andreas
