http://dnsviz.net/d/_25._tcp.sisim1.systemec.nl/dnssec/

Andreas Schulze andreas.schulze at datev.de
Wed Jan 17 11:10:00 CET 2018 

Hello,

we found messages to MONTAGEBEDRIJFVANDERPLUIJM.NL undeliverable because postfix/unbound could not fetch _25._tcp.sisim1.systemec.nl
The nameservers deny the existence of _tcp.$MXhost.systemec.nl. As our unbound uses QNAME minimization that result in _25._tcp.$MXhost.systemec.nl. also fail.

dig @ns.systemec.NL. _tcp.sisim2.systemec.NL any +dnssec
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.9.6-P1 <<>> @ns.systemec.NL. _tcp.sisim2.systemec.NL any +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 769
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;_tcp.sisim2.systemec.NL.       IN      ANY

;; AUTHORITY SECTION:
systemec.NL.            3600    IN      SOA     ns.systemec.NL. postmaster.systemec.NL. 2017113006 28800 7200 604800 3600
systemec.NL.            3600    IN      RRSIG   SOA 14 2 3600 20180125000000 20180104000000 39248 systemec.nl. mtn3UO0IJXb1WA+2qEp7kYTlqaOAU7qrUcizVJCLQ6Tuda4qgd7fPAO5 qZY9FBQdiP/l4YEEeooZJyMtQilHlLiDK7MBIarIjdNSF2qQrk5hfo1a LJzs5pNW1upEdR51
sisim2.systemec.NL.     3600    IN      NSEC    _25._tcp.sisim2.systemec.nl. A RRSIG NSEC
sisim2.systemec.NL.     3600    IN      RRSIG   NSEC 14 3 3600 20180125000000 20180104000000 39248 systemec.nl. UUcvXFNUVhyOUHka2Md64YKUNVownhfBsly32lqxHYKJ62JV4/x1XXV/ ckROX7CmON8MvNyVAB8FC1p1qGdjOo+Df1jpJ7oduukbEOqCeOVWdQbO 29CrRHe+84Wl/6iz

;; Query time: 18 msec
;; SERVER: 89.20.90.102#53(89.20.90.102)
;; WHEN: Wed Jan 17 11:03:38 CET 2018
;; MSG SIZE  rcvd: 429


The expected answer is "NOERROR" because the are no valid RRs for that label bit there exist childs ( _25. )
Is the correct term for that "ENT" "Empty non terminal" ???

Maybe someone can relay that information to systemec.nl DNS admins.

We implemented a workaround via smtp_tls_policy_maps: "$DOMAIN -> may" until that is fixed.


-- 
A. Schulze
DATEV eG

More information about the dane-users mailing list