Please drop "insecure NODATA/NXDOMAIN" domains, "insecure" DoE is normal.

[vdukhovni]

Insecure denial of existence is normal. It can happen when a domain (wisely or otherwise) uses the NSEC3 opt-out bit or when TLSA records are CNAMEs into an insecure zone. This should be treated just the same as secure denial of existence. Only SERFAIL, timeout, REFUSED, ... (actual DNS lookup errors) should cause the MX to be skipped.

# Insecure NODATA/NXDOMAIN
schenkmakelaars.nl
dkz-networks.nl

The above domains are not problematic. Software that treats insecure denial of existence as a loookup problem needs to be remediated.

[desh-se]

Thank you, I realise that I've phrased myself poorly. I've removed schenkmakelaars.nl, which have been fixed. I do however still get DANE validation failures for "dkz-networks.nl", both in Postfix and Halon

Jan 12 23:00:05 test postfix/smtp[3594]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.dkz-networks.nl type=TLSA: Host not found, try again
Jan 12 23:00:05 test postfix/smtp[3594]: warning: TLS policy lookup for dkz-networks.nl/dkz-networks.nl: TLSA lookup error for dkz-networks.nl:25

unbound[3871:0] info: reply from <dkz-networks.nl.> 178.62.34.128#53
unbound[3871:0] info: query response was nodata ANSWER
unbound[3871:0] debug: NODATA response failed to prove NODATA status with NSEC/NSEC3
unbound[3871:0] info: validate(nodata): sec_status_bogus 178.62.34.128

[vdukhovni]

Yes, sorry you're right, the second domain exhibits ServFail errors. Th comment was misleading. Removing just the first domain is the right outcome. See http://dnsviz.net/d/_25._tcp.dkz-networks.nl/dnssec/