Frank Fiene ffiene at
Tue Jan 20 14:23:42 CET 2015

OK, i just have these two:

        dnssec-enable yes;
        dnssec-validation auto;

And i cannot configure this by hand!

Huh!!! No forwarder? So for any DNS query my Resolver must ask the Root-DNS-Servers?


> Am 20.01.2015 um 13:51 schrieb Benny Pedersen <me at>:
> Andreas Schulze skrev den 2015-01-20 13:08:
>> Am 20.01.2015 11:48 schrieb Frank Fiene:
>>> dig gives me the ad flag so my resolving chain should be fine.
>>> But if i send an email to the list, i still get no „Verified“ in my postfix log.
>> smtp_dns_support_level = dnssec ?
>> smtp_tls_security_level = dane ?
> and in named.conf
> 	dnssec-enable yes;
> 	dnssec-lookaside auto;
> 	dnssec-validation auto;
> 2 last options must not be yes, this will disable dane, with auto dane works
> in resolv.conf only have nameserver
> and bind9 must not have any forwarders !

Viele Grüße!
i.A. Frank Fiene
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

Dieselstr. 8
48324 Sendenhorst

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dane-users mailing list