On 2019-06-15 13:48, I wrote:
On 2019-06-15 12:11, I wrote:
Testing on a dnsmasq from home I don't get SERVFAIL, just NOERROR.
I still think this is an interesting problem, perhaps a BIND problem. The user didn't set a TLSA and might have had no idea about DANE ("isn't that what Hamlet was?") and yet was unable to get mail from my DANE- enabled host.
Logs (from named) of the SERVFAIL:
15-Jun-2019 18:49:00.419 lame-servers: info: no valid RRSIG resolving 'smtp.example.com/DS/IN': 176.56.237.121#53 15-Jun-2019 18:49:00.468 lame-servers: info: no valid RRSIG resolving 'smtp.example.com/DS/IN': 45.119.209.45#53 15-Jun-2019 18:49:00.468 lame-servers: info: no valid DS resolving '_25._tcp.smtp.example.com/TLSA/IN': 45.119.209.45#53 15-Jun-2019 18:49:00.567 dnssec: info: validating _25._tcp.smtp.example.com/TLSA: bad cache hit (smtp.example.com/DS) 15-Jun-2019 18:49:00.567 lame-servers: info: broken trust chain resolving '_25._tcp.smtp.example.com/TLSA/IN': 176.56.237.121#53
This was after "rndc flushtree example.com", so I am still not sure what the error means.
Hmm, why is it wanting DS for smtp.example.com? That's not a zone, it is only an A record in example.com.