Matthias Wimmer m at
Tue Feb 2 18:37:27 CET 2016

Hi Benny,

El 2016-02-02 18:14:43, Benny Pedersen escribió:
> >$ postconf smtp_tls_security_level
> >smtp_tls_security_level = dane
> postconf -e "smtp_dns_support_level = dnssec"
> postconf -e "smtp_tls_security_level = dane"

The SERVFAIL is not generated by your postfix, these settings should not
cause it.

> >$ dig tlsa
> >
> >...
> >;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20811
> >; IN TLSA
> why serv fail here ?
> enable lame logs in bind9
> i dont use unbound

Interesting question. Tried it locally ...

On the first two or three requests I got SERVFAIL as well. Some requests
later (i.e. within the same minute) I could not reproduce these
problems. It also did not matter which of the three published nameserver
of I was querying, all were fine after the first requests.

Anyway to reproduce the queries postfix sends I normally would add the
+dnssec option to the dig command.

BTW: DNSsec resolving on this host is working without problems in


Matthias Wimmer
Contact details:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <>

More information about the dane-users mailing list