Postfix not accepting DANE secured peer

Viktor Dukhovni ietf-dane at
Sat Jan 31 20:14:21 CET 2015

On Sat, Jan 31, 2015 at 04:02:00PM +0100, Wolfgang Rosenauer wrote:

> Am 31.01.2015 um 12:29 schrieb Markus Benning:
> > Am 30.01.2015 um 09:10 schrieb Viktor Dukhovni:
> >> * Your C library may not return the "AD" bit in DNSSEC replies
> >> (OpenBSD seems to have this problem).
> > 
> > This may also be the case if your resolver is also authorative for your
> > domain. Then it wont do recursive validation and will not include the AD
> > flag.
> Thanks for that hint. I guess this is exactly the issue.  The recursive
> resolver for the smtp client is actually indeed also the authoritative
> dns for the target domain.  This special case came absolutely unexpected
> to me though.

Not surprising that it did not occur to you, it is unfortunately
not documented.

I've never tested a recursive resolver that is also authoritative
for DNSSEC signed domains .

Based on long-standing advice from DJB, that is now considered
"best pratice", I always separate the authoritative and recursive
DNS servers.  On my mail server (which is also the primary nameserver
for my domain) I have:

	* <loopback:53> - Recursive, validating unbound resolver,
          authoritative only for localhost and loopback addresses:

	    interface: ::1
	    do-not-query-address: ::1
	    cache-max-ttl: 14400
	    max-udp-size: 8192
	    minimal-responses: yes
	    module-config: "validator iterator"
	    auto-trust-anchor-file: "keys/root.key"

	    local-zone: "localhost." static
	    local-zone: "" static
	    local-zone: "" static
	    domain-insecure: "localhost."
	    domain-insecure: ""
	    domain-insecure: ""
	    local-data: "localhost. IN A"
	    local-data: "localhost. IN AAAA ::1"
	    local-data-ptr: " localhost."
	    local-data-ptr: "::1 localhost."

	* <public-address>:53 - Authoritative BIND 9.10p1 server,
	  which serves a few domains.

	    options {

		# DNSSEC, with 14 day signatures, the secondary expire
		# time in the SOA should be at most 7 days.  Otherwise,
		# secondaries might in some cases serve already expired
		# data.
		dnssec-enable yes;
		sig-validity-interval 14;

		# Authoritative service only, listen on external v4/v6
		# addresses, but not the loopback ("unbound" resolver).
		recursion no;
		listen-on { <public ip range>; };
		listen-on-v6 { <public ipv6 range>; };

The /etc/resolv.conf file lists only, so all queries for
my own domain go to "unbound", which does the validation, and sets
the AD bit the same way as for "remote" domains, since for "unbound"
all domains are "remote".


More information about the dane-users mailing list