Postfix-Frage

Thu Jan 15 14:10:19 CET 2015

Am Donnerstag, 15. Januar 2015, 13:46:39 schrieb Frank Fiene:
> The „da" flag is missing!?

"ad"

> 
> > Am 15.01.2015 um 13:06 schrieb Patrick Ben Koetter <p at sys4.de>:
> > 
> > dig +dnssec dane.sys4.de <http://dane.sys4.de/>
> 
> root at mail:/home/ffiene# dig +dnssec dane.sys4.de +m
> 
> ; <<>> DiG 9.9.5-3-Ubuntu <<>> +dnssec dane.sys4.de +m
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53974
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;dane.sys4.de.		IN A
> 
> ;; ANSWER SECTION:
(...)

Your resolver gets all the dnssec relevant RR of the domain, but does not 
check if the RRSIG are really correct. Please check the same with a dnssec 
enabled resolver. 8.8.8.8 for instance does check the signatures.

dig @8.8.8.8 +dnssec sys4.de

you will see, that the "ad" flag ist present in the answer.

Next step: Install a dnssec aware resolver.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein