Postfix not accepting DANE secured peer

Carsten Strotmann (sys4) cs at
Sun Feb 1 13:03:44 CET 2015

Hello Wolfgang,

Wolfgang Rosenauer writes:
> Thanks for that hint. I guess this is exactly the issue.
> The recursive resolver for the smtp client is actually indeed also the
> authoritative dns for the target domain.
> This special case came absolutely unexpected to me though.
If the DNS server that is the owner of the data (the authoritative
server) would also do the DNSSEC verification, not much security
would be gained. It would be like having the treasurer and the auditor
being the same person, not secure.

With DNSSEC, the validating resolver cannot be authoritative. A DNS
server that is authoritative will respond with an AA (Authoritative
Answer) flag, but never with AD (Authenticated Data).

I wrote an blog article on this topic some while ago:

Best regard


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 883 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the dane-users mailing list