Awesome Viktor! Thanks for your speedy response.
On 17-11-16 01:17, Viktor Dukhovni wrote:
On Wed, Nov 16, 2016 at 11:15:35PM +0100, Walter Doekes wrote:
this week we stumbled upon an issue where we could not send mail to certain
domains, for instance em...@umcg.nl.
...
It turned out that this was the cause:
...
$ dig A umcg-nl.mail.protection.outlook.com. \
@ns1-proddns.glbdns.o365filtering.com. +edns +dnssec |
grep FORMERR
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 46904
;; WARNING: EDNS query returned status FORMERR -
retry with '+nodnssec +noedns'
I can't reproduce your observations using unbound as the local
resolver:
$ dig +dnssec +ad +noall +comment +cmd +qu +ans +auth +nocl +nottl \
-t a umcg-nl.mail.protection.outlook.com
...
umcg-nl.mail.protection.outlook.com. A 213.199.154.23
umcg-nl.mail.protection.outlook.com. A 213.199.154.87
Postfix will not directly query the remote nameserver, and in indeed
with DANE you're supposed to be configured to *only* query the
local resolver. What resolver is that? And how is it configured?
Once the A records come back insecure (AD=0), Postfix will not
query for TLSA records.
Yes, I was aware that postfix doesn't do the recursion itself. The
@remote-dns in the example was merely to clarify.
You are right. I checked with bind9 as recursor today and it does two
queries: first one that gets the FORMERR and then a second one without
EDNS that succeeds. It'll happily pass along the succesful response to
the original requestor.
That looks like I have my DNS recursor to blame for the problem. It's a
powerdns recursor, version 4.0.0~alpha2 if I'm not mistaken.
I'll be forwarding the issue with the appropriate evidence there if it
hasn't been fixed already.
Thanks again,
Walter Doekes
OSSO B.V.
