Postfix not accepting DANE secured peer

Markus Benning ich at
Sat Jan 31 12:29:06 CET 2015

Am 30.01.2015 um 09:10 schrieb Viktor Dukhovni:
> * Your C library may not return the "AD" bit in DNSSEC replies
> (OpenBSD seems to have this problem).

This may also be the case if your resolver is also authorative for your
domain. Then it wont do recursive validation and will not include the AD

There is a LD_PRELOAD wrapper called cwrap/resolv_wrapper which allows
to overwrite the resolver per process
without changing global resolv.conf:

It was written for samba. I had to add the following patch to make it
work with postfix:


Markus Benning,

More information about the dane-users mailing list