postbank.de / dslbank.de

[Andreas Pothe]

Hi,

Am 02.02.2016 um 12:43 schrieb Andreas Schulze:
> Hallo,
>
> postbank.de is known (to me) as broken somehow. Today I noticed delivery problems to dslbank.de
> That focused my attention again to that unsolved issue.
>
> $ posttls-finger dslbank.de
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to dslbank.de via mailrelay1.bonn.postbank.de: TLSA lookup error for mailrelay1.bonn.postbank.de:25
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de type=TLSA: Host not found, try again
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to dslbank.de via mailrelay2.bonn.postbank.de: TLSA lookup error for mailrelay2.bonn.postbank.de:25
>
> ...
>
> But I wonder why dane.sys4.de tell me "No TLSA records."
> In fact there is some magic @sys4 that understand, postbank.de do not publish TLSA records.
> postfix do not know this magic and leave messages undelivered in my queue :-/

Deutsche Postbank has some issues on its DNS servers:
http://dnsviz.net/d/postbank.de/dnssec/
http://dnsviz.net/d/dslbank.de/dnssec/
http://dnsviz.net/d/bhw.de/dnssec/

(postbank|dslbank|bhw).de/DNSKEY: The response (512 bytes) was
malformed. (62.153.105.1, 62.153.105.2, 195.50.155.127,
UDP_0_EDNS0_32768_512)

May this cause the reported problems on some systems?
In fact I know Deutsche Postbank AG do not promote any TLSA / DANE
records for any of its domains.