I know that this is not a postfix issue, but I have the hope that someone from DHL is on this list :-)
It looks like that DHL (and possibly many other DHL related domains) messed with their DNSSec. With NSEC3 to be more precise If checking the csync the following is returned > dig dhl.com csync +dnssec > u9eivlgtjpe1bb2anhs9aevftkoikcon.dhl.com. 300 IN NSEC3 1 0 1 > 0E0CA64306F6F95D U9EIVLGTJPE1BB2ANHS9AEVFTKOIKCOO NS SOA RRSIG DNSKEY > NSEC3PARAM CDS CDNSKEY imho this clearly states that only the following RR types exist for the zone "NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY". So no A or MX, although the NS positively reply for direct queries for A or MX. But as soon as a DNSSec-aware resolver has the above NSEC3 in cache queries for MX and A are returned negatively from cache. Which makes it quite hard to reliably receive and send mail from/to DHL Cheers tobi _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
