Bug 1124 - Authoritative NOTIMP responses causes Unbound to SRVFAIL
Authoritative NOTIMP responses causes Unbound to SRVFAIL
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.5.8
All All
: P5 major
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-04 10:06 CEST by Ilari Stenroth
Modified: 2016-10-06 15:07 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ilari Stenroth 2016-10-04 10:06:25 CEST
Authoritative DNS servers for mail.protection.outlook.com domain are responding NOTIMP for a TLSA queriy (which Postfix MTA is doing when DANE feature is enabled). Unbound replies SRVFAIL to a client (Postfix in this case). Postfix will fail mail delivery as it holds the mail in the queue forever until SRVFAIL in DNS clears (which never happens).

Unbound probably is doing the right thing to respond SRVFAIL to a non-standard authoritative DNS server behaviour but I think it could be reasonable to be less strict in this matter and convert NOTIMP response to NODATA.
Comment 1 Ralph Dolmans 2016-10-06 15:07:42 CEST
Hi Ilari,

Replying with NOTIMP for unimplemented qtypes is indeed not conform the specifications. Unbound should not simply ignore this RCODE.

However, I do not think this should be an issue for DANE validation in postfix. Because these types of broken nameservers/loadbalancers are known, the DANE SMTP RFC tries to limit the impact by mandating that an A or AAAA query should be performed before the TLSA query. Since the A query to mail.protection.outlook.com will show that it is in an unsigned zone, no TLSA query should be performed. See section 2.2.2 in RFC7672. As far as I know postfix complies to this standard.

Regards,
-- Ralph