Postfix not accepting DANE secured peer

Wolfgang Rosenauer wolfgang.rosenauer at an-netz.de
Sat Jan 31 16:02:00 CET 2015


Am 31.01.2015 um 12:29 schrieb Markus Benning:
> Am 30.01.2015 um 09:10 schrieb Viktor Dukhovni:
>> * Your C library may not return the "AD" bit in DNSSEC replies
>> (OpenBSD seems to have this problem).
> 
> This may also be the case if your resolver is also authorative for your
> domain. Then it wont do recursive validation and will not include the AD
> flag.

Thanks for that hint. I guess this is exactly the issue.
The recursive resolver for the smtp client is actually indeed also the
authoritative dns for the target domain.
This special case came absolutely unexpected to me though.


Wolfgang


More information about the dane-users mailing list