Benny Pedersen me@junc.eu writes:
On 2016-02-03 07:26, Andreas Schulze wrote:
i dont use unbound
a feature in unbound called "" was the reason we now add an exeption to unbound and get also NXDOMAIN see https://unbound.net/pipermail/unbound-users/2016-February/004192.html
unbound.conf: server: caps-whitelist: postbank.de
(require unbound-1.5.4 or newer)
another reason for not using unbound ?
The bug in the postbank.de servers will cause SERVFAIL with *any* DNSSEC validator unless you are careful to keep the query lower case only. You can easily verify this yourself. Simply query your validating resolver for a non-existing name in postbank.de, capitalizing one or ore characters in the query:
bjorn@nemi:~$ dig ns5.Postbank.de
; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> ns5.Postbank.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48848 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns5.Postbank.de. IN A
;; Query time: 1278 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 03 18:27:13 CET 2016 ;; MSG SIZE rcvd: 44
No unbound involved here:
bjorn@nemi:~$ dig version.bind txt chaos
; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> version.bind txt chaos ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44913 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;version.bind. CH TXT
;; ANSWER SECTION: version.bind. 0 CH TXT "9.9.5-9+deb8u5-Debian"
;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind.
;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 03 18:29:22 CET 2016 ;; MSG SIZE rcvd: 89
Bjørn