Postfix not accepting DANE secured peer
Markus Benning
ich at markusbenning.de
Sat Jan 31 12:29:06 CET 2015
Am 30.01.2015 um 09:10 schrieb Viktor Dukhovni:
> * Your C library may not return the "AD" bit in DNSSEC replies
> (OpenBSD seems to have this problem).
This may also be the case if your resolver is also authorative for your
domain. Then it wont do recursive validation and will not include the AD
flag.
There is a LD_PRELOAD wrapper called cwrap/resolv_wrapper which allows
to overwrite the resolver per process
without changing global resolv.conf:
http://www.cwrap.org/
It was written for samba. I had to add the following patch to make it
work with postfix:
https://markusbenning.de/tmp/0001-res_-n-xxx-functions-should-use-global-_res.patch
Markus
--
Markus Benning, https://markusbenning.de
More information about the dane-users
mailing list