Postfix-Frage

Frank Fiene ffiene at veka.com
Thu Jan 15 15:25:30 CET 2015 

> Am 15.01.2015 um 14:10 schrieb Michael Schwartzkopff <ms at sys4.de <mailto:ms at sys4.de>>:
> 
> Am Donnerstag, 15. Januar 2015, 13:46:39 schrieb Frank Fiene:
>> The „da" flag is missing!?
> 
> „ad"

Sigh, Apple ...

>> 
>>> Am 15.01.2015 um 13:06 schrieb Patrick Ben Koetter <p at sys4.de <mailto:p at sys4.de>>:
>>> 
>>> dig +dnssec dane.sys4.de <http://dane.sys4.de/> <http://dane.sys4.de/ <http://dane.sys4.de/>>
>> 
>> root at mail:/home/ffiene# dig +dnssec dane.sys4.de <http://dane.sys4.de/> +m
>> 
>> ; <<>> DiG 9.9.5-3-Ubuntu <<>> +dnssec dane.sys4.de <http://dane.sys4.de/> +m
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53974
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5
> 
> 
> Your resolver gets all the dnssec relevant RR of the domain, but does not 
> check if the RRSIG are really correct. Please check the same with a dnssec 
> enabled resolver. 8.8.8.8 for instance does check the signatures.
> 
> dig @8.8.8.8 +dnssec sys4.de <http://sys4.de/>
> 
> you will see, that the "ad" flag ist present in the answer.
> 
> Next step: Install a dnssec aware resolver.

On the other mailserver with no local DNS server (the other mailserver has a local DNS server which forwards to the same as this one):

root at mail1:/etc/postfix# dig +dnssec dane.sys4.de <http://dane.sys4.de/> +m

; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> +dnssec dane.sys4.de <http://dane.sys4.de/> +m
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42645
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1


But still anonymous TLS connections only!



Frank

> Mit freundlichen Grüßen,
> 
> Michael Schwartzkopff
> 
> -- 
> [*] sys4 AG
> 
> http://sys4.de <http://sys4.de/>, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Franziskanerstraße 15, 81669 München
> 
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein

Viele Grüße!
i.A. Frank Fiene
-- 
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at veka.com <mailto:ffiene at veka.com>
http://www.veka.com <http://www.veka.com/>

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150115/5b9c1df1/attachment.html>

More information about the dane-users mailing list