DNS resolution problems with nameserver of post.ch and incamail.com

the situation improved as ALL the nameservers now consistently return NXDOMAIN for TLSA queries which makes the policy determination reliable again

for ns in $(dig +short post.ch ns) ; do echo "$ns" ; dig @$ns _25._tcp.mx2.post.ch 2>&1 | grep -Ei '(NXDOMAIN|SERVFAIL|timed out)' ; done dns1.post.ch. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16091 dns3.post.ch. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 880 dns4.post.ch. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7510 dns2.post.ch. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42187

so we now see conistent replies of the nameservers. We therefore close the incident and will keep monitoring our outbound queues.

currently our outbound systems could deliver all the queued messages for those domains. But we see that the nameservers of the Swiss Post still do not reliably reply to all the TLSA queries

We’re currently seeing issues with the nameserver of Swiss Post which are responsible for post.ch and incamail.com domains. TLSA records cannot be resolved anymore yielding to connection timeouts. Therefore SEPPmail Outbound systems cannot deliver outgoing mails to these two domains at the moment as the TLSA (DANE) could not be determined. Other DNS RR types can still be resolved, currently looks like only TLSA is affected.

Our systems will hold such mails in their queues and regularly try to resolve the RRs again. As soon as they can be resolved again the mails will be delivered. No action required from customer. And no mails should be lost.