Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe

[Chavdar Ivanov <ci4ic4%gmail.com@localhost>]

On Thu, 19 Mar 2020 at 21:58, Greg Troxel <gdt%lexort.com@localhost> wrote:
>
> On amachine that is up to date netbsd-8 amd64, I am having a mail
> problem, and other than this problem works correctly.
>
> The machine runs named, and resolv.conf points to ::1.
>
> I email with several people at protonmail.ch, and have noticed messsages
> sitting in the postfix transmit queue with complaints, variously:
>
>   (Host or domain name not found. Name service error for name=mailsec.protonmail.ch type=AAAA: Host not found, try again)
>   (delivery temporarily suspended: Host or domain name not found. Name service error for name=mailsec.protonmail.ch type=AAAA: Host not found, try again)
>
> When doing "dig protonmail.ch", I get SERVFAIL and see:
>
>   Mar 19 17:46:55 foo named[4750]: query client=0x7a78c4b0c800 thread=0x7a78c8385000 (protonmail.ch/ANY): query_find: unexpected error after resuming: broken trust chain
>
> I also see
>
>   Mar 19 17:46:28 foo named[4750]: validating mailsec.protonmail.ch/A: bad cache hit (protonmail.ch/DNSKEY)
>   Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/A/IN': 185.70.40.19#53
>   Mar 19 17:46:28 foo named[4750]: query client=0x7a78c7734800 thread=0x7a78c8385000 (mailsec.protonmail.ch/A): query_find: unexpected error after resuming: broken trust chain
>   Mar 19 17:46:28 foo named[4750]:   validating protonmail.ch/SOA: bad cache hit (protonmail.ch/DNSKEY)
>   Mar 19 17:46:28 foo named[4750]:   validating A18T1659TTNDNCA9ELRP0TQUCQDH3LD6.protonmail.ch/NSEC3: bad cache hit (protonmail.ch/DNSKEY)
>   Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/AAAA/IN': 3.127.12.149#53
>   Mar 19 17:46:28 foo named[4750]: query client=0x7a78c4b0b800 thread=0x7a78c8385000 (mailsec.protonmail.ch/AAAA): query_find: unexpected error after resuming: broken trust chain
>   Mar 19 17:46:28 foo named[4750]:   validating protonmail.ch/SOA: bad cache hit (protonmail.ch/DNSKEY)
>   Mar 19 17:46:28 foo named[4750]:   validating A18T1659TTNDNCA9ELRP0TQUCQDH3LD6.protonmail.ch/NSEC3: bad cache hit (protonmail.ch/DNSKEY)
>   Mar 19 17:46:28 foo named[4750]: broken trust chain resolving 'mailsec.protonmail.ch/AAAA/IN': 18.194.37.70#53
>   Mar 19 17:46:28 foo named[4750]: query client=0x7a78c4713800 thread=0x7a78c8387000 (mailsec.protonmail.ch/AAAA): query_find: unexpected error after resuming: broken trust chain
>
> I did "ntpq -p" and my offsets are within +/- 10 ms.
>
> On a netbsd.org machine, things seem fine, and outgoing mail to
> protonmail is delivered.
>
> On another netbsd-8 machine of mine, RPI3, in a different place, also
> running named, I see the same problem
>
> Using a proprietary email service, mail is also delivered to protonmail.
>
>
> So:
>
>   If you have a netbsd box with named or some other resolver running,
>   does "dig protonmail.ch" work, and what about "dig mail.protonmail.ch
>   in a"?

$ uname -a
NetBSD eee 8.99.2 NetBSD 8.99.2 (RPI) #0: Sun Sep 17 00:08:51 UTC 2017
 sysbuild@ymir:/home/sysbuild/evbarm/obj/home/sysbuild/src/sys/arch/evbarm/compile/RPI
evbarm
$ dig protonmail.ch

; <<>> DiG 9.10.5-P2 <<>> protonmail.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16621
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;protonmail.ch.                 IN      A

;; ANSWER SECTION:
protonmail.ch.          817     IN      A       185.70.41.32

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 19 22:08:18 GMT 2020
;; MSG SIZE  rcvd: 58

$ dig mail.protonmail.ch in a

; <<>> DiG 9.10.5-P2 <<>> mail.protonmail.ch in a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59988
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.protonmail.ch.            IN      A

;; ANSWER SECTION:
mail.protonmail.ch.     1062    IN      A       185.70.40.103

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 19 22:09:08 GMT 2020
;; MSG SIZE  rcvd: 63

That's on my local unbound server. I set it up  just for laughs more
than a year ago and it hasn't stopped for a minute.

$ uptime
10:11PM  up 402 days, 12:10, 5 users, load averages: 0.00, 0.00, 0.00

On the original Raspberry PI model B...


>
>   Do you think other places actually validate DNSSEC, to the point
>   where they do not return results if things are off?
>
>   Do you think there is anything wrong with our named and dnssec root
>   key setup?
>
>   Anything else I should be asking?
>
> Thanks,
> Greg



-- 
----