NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe
On Thu, 19 Mar 2020 at 21:58, Greg Troxel <gdt%lexort.com@localhost> wrote:
>
> On amachine that is up to date netbsd-8 amd64, I am having a mail
> problem, and other than this problem works correctly.
>
> The machine runs named, and resolv.conf points to ::1.
>
> I email with several people at protonmail.ch, and have noticed messsages
> sitting in the postfix transmit queue with complaints, variously:
>
> (Host or domain name not found. Name service error for name=mailsec.protonmail.ch type=AAAA: Host not found, try again)
> (delivery temporarily suspended: Host or domain name not found. Name service error for name=mailsec.protonmail.ch type=AAAA: Host not found, try again)
>
> When doing "dig protonmail.ch", I get SERVFAIL and see:
>
> Mar 19 17:46:55 foo named[4750]: query client=0x7a78c4b0c800 thread=0x7a78c8385000 (protonmail.ch/ANY): query_find: unexpected error after resuming: broken trust chain
>
> I also see
>
> Mar 19 17:46:28 foo named[4750]: validating mailsec.protonmail.ch/A: bad cache hit (protonmail.ch/DNSKEY)
> Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/A/IN': 185.70.40.19#53
> Mar 19 17:46:28 foo named[4750]: query client=0x7a78c7734800 thread=0x7a78c8385000 (mailsec.protonmail.ch/A): query_find: unexpected error after resuming: broken trust chain
> Mar 19 17:46:28 foo named[4750]: validating protonmail.ch/SOA: bad cache hit (protonmail.ch/DNSKEY)
> Mar 19 17:46:28 foo named[4750]: validating A18T1659TTNDNCA9ELRP0TQUCQDH3LD6.protonmail.ch/NSEC3: bad cache hit (protonmail.ch/DNSKEY)
> Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/AAAA/IN': 3.127.12.149#53
> Mar 19 17:46:28 foo named[4750]: query client=0x7a78c4b0b800 thread=0x7a78c8385000 (mailsec.protonmail.ch/AAAA): query_find: unexpected error after resuming: broken trust chain
> Mar 19 17:46:28 foo named[4750]: validating protonmail.ch/SOA: bad cache hit (protonmail.ch/DNSKEY)
> Mar 19 17:46:28 foo named[4750]: validating A18T1659TTNDNCA9ELRP0TQUCQDH3LD6.protonmail.ch/NSEC3: bad cache hit (protonmail.ch/DNSKEY)
> Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/AAAA/IN': 18.194.37.70#53
> Mar 19 17:46:28 foo named[4750]: query client=0x7a78c4713800 thread=0x7a78c8387000 (mailsec.protonmail.ch/AAAA): query_find: unexpected error after resuming: broken trust chain
>
> I did "ntpq -p" and my offsets are within +/- 10 ms.
>
> On a netbsd.org machine, things seem fine, and outgoing mail to
> protonmail is delivered.
>
> On another netbsd-8 machine of mine, RPI3, in a different place, also
> running named, I see the same problem
>
> Using a proprietary email service, mail is also delivered to protonmail.
>
>
> So:
>
> If you have a netbsd box with named or some other resolver running,
> does "dig protonmail.ch" work, and what about "dig mail.protonmail.ch
> in a"?
$ uname -a
NetBSD eee 8.99.2 NetBSD 8.99.2 (RPI) #0: Sun Sep 17 00:08:51 UTC 2017
sysbuild@ymir:/home/sysbuild/evbarm/obj/home/sysbuild/src/sys/arch/evbarm/compile/RPI
evbarm
$ dig protonmail.ch
; <<>> DiG 9.10.5-P2 <<>> protonmail.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16621
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;protonmail.ch. IN A
;; ANSWER SECTION:
protonmail.ch. 817 IN A 185.70.41.32
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 19 22:08:18 GMT 2020
;; MSG SIZE rcvd: 58
$ dig mail.protonmail.ch in a
; <<>> DiG 9.10.5-P2 <<>> mail.protonmail.ch in a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59988
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.protonmail.ch. IN A
;; ANSWER SECTION:
mail.protonmail.ch. 1062 IN A 185.70.40.103
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 19 22:09:08 GMT 2020
;; MSG SIZE rcvd: 63
That's on my local unbound server. I set it up just for laughs more
than a year ago and it hasn't stopped for a minute.
$ uptime
10:11PM up 402 days, 12:10, 5 users, load averages: 0.00, 0.00, 0.00
On the original Raspberry PI model B...
>
> Do you think other places actually validate DNSSEC, to the point
> where they do not return results if things are off?
>
> Do you think there is anything wrong with our named and dnssec root
> key setup?
>
> Anything else I should be asking?
>
> Thanks,
> Greg
--
----
Home |
Main Index |
Thread Index |
Old Index