Hi Viktor, thanks for your reply.
> > I am not sure what you mean by "disables QNAME-minimisation > automatically", but if it is on by default, and subject to some sort of > dynamic fallback, I strongly recommend that you instead disable it > *statically* (always off), or set a very small limit on the number of > labels for which it is applied: > > - No qname minimisation after the first two labels, the first > 3-label query should be the full domain. Yes, some dynamic fallback [1]. According to that reply, there is no trouble getting the denial of existence. > My resolver has no trouble getting denial of existence for this > domain (which foolishly uses NSEC3 opt-out, but that's typically > harmless): > > neusta.de. IN MX 10 smtp-relay-in-s1.neusta.de. ; NoError AD=1 > smtp-relay-in-s1.neusta.de. IN A 82.198.213.163 ; NoError AD=1 > smtp-relay-in-s1.neusta.de. IN AAAA ? ; NODATA AD=1 > _25._tcp.smtp-relay-in-s1.neusta.de. IN TLSA ? ; NXDomain AD=0 > Do I miss something why postfix has the trouble with the reply? dig +dnssec -t TLSA _25._tcp.smtp-relay-in-s1.neusta.de ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.16.15 <<>> +dnssec -t TLSA _25._tcp.smtp-relay-in-s1.neusta.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65061 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;_25._tcp.smtp-relay-in-s1.neusta.de. IN TLSA ;; AUTHORITY SECTION: neusta.de. 13922 IN SOA ns6.neusta-hosting.de. hostmaster.neusta.de. 2021042901 28800 7200 604800 86400 neusta.de. 13922 IN RRSIG SOA 7 2 86400 20210529063440 20210429063440 34262 neusta.de. Bk2X144vekDm5JswaNbhYM+TIutTNkdIeKkO1hgJGun6HGjbeQwJrPUY tELUOT/Mz+M+GtZ1rvLi1OonU9sdI0d8/LesSUQKCxncavY01xXaf5DC eBcqRQ1bJqtelJ8ul020c5MjD4COsn2WHf6plnS/fY3gOx2/AgHW5IsE VDgPaYAgoxanCfwRkH8OT6LGatOaxRT2wC/7RnJYo1YGQW9auLgHS0hN AeoKaMtKRvxQnvSp35R1g8X73xqZdtBj7ImzUyzc5OE8QL7D26fjkE8a s+kK/P1HeLM6hm2t3icdBD5RNLkpbidVoW8ME82FKB5SyE7cJIaRcr9Z /HsbYQ== j65rgnk4rjepggetu3j93lgkf6et4nbe.neusta.de. 13922 IN NSEC3 1 1 10 6C85373E7E5A85D9 JB3FNV78NDB81VF3DVNKBTLHBT5AR4R9 A RRSIG j65rgnk4rjepggetu3j93lgkf6et4nbe.neusta.de. 13922 IN RRSIG NSEC3 7 3 86400 20210529063440 20210429063440 34262 neusta.de. Qxk0RQ55R/NUmlo8yqwii6j2E2auXQvTRY3JQRQSL30MnhAseVDmMVRm tP0V7w7ctJF6eC7A5Er/o1eWHh5HU20fBJq8brubPsvQh3S3UTivp8W8 wXD4U0jP/45Qn/J1mWQfx+BdhRmmLeqYBpsZzk0B903Gjgsg7sRZfcwd c1OkJA4m2SoLRGka8zYv80AhPkT6LGOwBJh298U6o8nTGRBfMCGTIOSj vXoxjoo7YdZNwc3Ad1E4KX9KvmRexdl+og6/snC1xlCJwrhXyeTmNraa eYkED4XKmhaBgU0tn0CPyQIOft8IIwxSauZzVFCSzbFU5CvqVjkyhriS bJmgSg== lsabpusr2kqgb2fmtpuv7fn0llh359v6.neusta.de. 13922 IN NSEC3 1 1 10 6C85373E7E5A85D9 LT9PUR4RRHKHIB3894RVC1RSBMNB09O2 CNAME RRSIG lsabpusr2kqgb2fmtpuv7fn0llh359v6.neusta.de. 13922 IN RRSIG NSEC3 7 3 86400 20210529063440 20210429063440 34262 neusta.de. TcE/Wrkq4kpmmZ1ms6uP3YG9DGJRhaPqT8A5YLAyk1Vb4BLrdwiS6Bdn AIyZkHp6Zs8kuWiAUeB+aVrx5hrAbqJEv9NspIW/VfT1eubnnbdp+Jle tWM79pmHK67vIiS/VGXgVvhxjuLqV1VeyBmvFi556si1ZvsJ4l0FVy4T Nn8SRsecVU6LBEJMtsU23fufMkBxP5mm1bUCIpBxcmQuSQVA1h9CgoP1 oApl6YOxCLQPbtK4tykcFb7VIxKXn+tOWVUELcP0NOexc2Z/X/KcZ8bD zNdfVx05SxR25zYqR82ZtueT2Y4jqu3NPxsAb2ck8317ddJL3II5VM/u CEy5yQ== t98qpd9bv5pqe5ihvvbd0q52s2v9is53.neusta.de. 13922 IN NSEC3 1 1 10 6C85373E7E5A85D9 TFHSQQGEHQ0J0L1OF9PJ15U3N79RQOI3 A RRSIG t98qpd9bv5pqe5ihvvbd0q52s2v9is53.neusta.de. 13922 IN RRSIG NSEC3 7 3 86400 20210529063440 20210429063440 34262 neusta.de. TPT1S4PONxLm57wjiUvTx6QF4yK/oZ9rEXn4MDrdMGhaA/xGMBfRMjw3 wfJvCpE1yLdRtTa4T+uk2P3boQHvQeJTB8X45nxTTLG3NrgYG2KGmpBm +eqxysxcewAT+GT9GxnO++l9EokAoSYtgO+hDpx+HEK6drrSOGXAXdhz 7a8MJkdAUpexkV7y3nhtFit8NLM7hojd8tPNyEoavRmfbm+A7OGJ6FDl gn/4OFtG+H86hTFKDLqDg6L9xV1hBVVEa5in6mlfaJEVlFFbzU2MNXtp LxTetz0nwQKGtqmlU8S074Hfbu6SOq5Z+GPgiSGd6HKqJ4yDG8ky2jzD odaKAA== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 04 09:59:36 CEST 2021 ;; MSG SIZE rcvd: 1586 Kind Regards Bjoern [1]https://lists.nic.cz/pipermail/knot-resolver-users/2021/000368.html
