Postfix not accepting DANE secured peer
Carsten Strotmann (sys4)
cs at sys4.de
Sun Feb 1 13:03:44 CET 2015
Wolfgang Rosenauer writes:
> Thanks for that hint. I guess this is exactly the issue.
> The recursive resolver for the smtp client is actually indeed also the
> authoritative dns for the target domain.
> This special case came absolutely unexpected to me though.
If the DNS server that is the owner of the data (the authoritative
server) would also do the DNSSEC verification, not much security
would be gained. It would be like having the treasurer and the auditor
being the same person, not secure.
With DNSSEC, the validating resolver cannot be authoritative. A DNS
server that is authoritative will respond with an AA (Authoritative
Answer) flag, but never with AD (Authenticated Data).
I wrote an blog article on this topic some while ago:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 883 bytes
Desc: OpenPGP digital signature
More information about the dane-users