NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe



On amachine that is up to date netbsd-8 amd64, I am having a mail
problem, and other than this problem works correctly.

The machine runs named, and resolv.conf points to ::1.

I email with several people at protonmail.ch, and have noticed messsages
sitting in the postfix transmit queue with complaints, variously:

  (Host or domain name not found. Name service error for name=mailsec.protonmail.ch type=AAAA: Host not found, try again)
  (delivery temporarily suspended: Host or domain name not found. Name service error for name=mailsec.protonmail.ch type=AAAA: Host not found, try again)

When doing "dig protonmail.ch", I get SERVFAIL and see:

  Mar 19 17:46:55 foo named[4750]: query client=0x7a78c4b0c800 thread=0x7a78c8385000 (protonmail.ch/ANY): query_find: unexpected error after resuming: broken trust chain

I also see

  Mar 19 17:46:28 foo named[4750]: validating mailsec.protonmail.ch/A: bad cache hit (protonmail.ch/DNSKEY)
  Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/A/IN': 185.70.40.19#53
  Mar 19 17:46:28 foo named[4750]: query client=0x7a78c7734800 thread=0x7a78c8385000 (mailsec.protonmail.ch/A): query_find: unexpected error after resuming: broken trust chain
  Mar 19 17:46:28 foo named[4750]:   validating protonmail.ch/SOA: bad cache hit (protonmail.ch/DNSKEY)
  Mar 19 17:46:28 foo named[4750]:   validating A18T1659TTNDNCA9ELRP0TQUCQDH3LD6.protonmail.ch/NSEC3: bad cache hit (protonmail.ch/DNSKEY)
  Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/AAAA/IN': 3.127.12.149#53
  Mar 19 17:46:28 foo named[4750]: query client=0x7a78c4b0b800 thread=0x7a78c8385000 (mailsec.protonmail.ch/AAAA): query_find: unexpected error after resuming: broken trust chain
  Mar 19 17:46:28 foo named[4750]:   validating protonmail.ch/SOA: bad cache hit (protonmail.ch/DNSKEY)
  Mar 19 17:46:28 foo named[4750]:   validating A18T1659TTNDNCA9ELRP0TQUCQDH3LD6.protonmail.ch/NSEC3: bad cache hit (protonmail.ch/DNSKEY)
  Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/AAAA/IN': 18.194.37.70#53
  Mar 19 17:46:28 foo named[4750]: query client=0x7a78c4713800 thread=0x7a78c8387000 (mailsec.protonmail.ch/AAAA): query_find: unexpected error after resuming: broken trust chain

I did "ntpq -p" and my offsets are within +/- 10 ms.

On a netbsd.org machine, things seem fine, and outgoing mail to
protonmail is delivered.

On another netbsd-8 machine of mine, RPI3, in a different place, also
running named, I see the same problem

Using a proprietary email service, mail is also delivered to protonmail.


So:

  If you have a netbsd box with named or some other resolver running,
  does "dig protonmail.ch" work, and what about "dig mail.protonmail.ch
  in a"?

  Do you think other places actually validate DNSSEC, to the point
  where they do not return results if things are off?

  Do you think there is anything wrong with our named and dnssec root
  key setup?

  Anything else I should be asking?

Thanks,
Greg


Home | Main Index | Thread Index | Old Index