From wolfgang.rosenauer at an-netz.de Mon Jul 11 22:16:47 2016 From: wolfgang.rosenauer at an-netz.de (Wolfgang Rosenauer) Date: Mon, 11 Jul 2016 22:16:47 +0200 Subject: Postfix and PDNS Message-ID: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> Hi, I just switched to PowerDNS Recursor on my Postfix mailserver since their latest version (4) now supports DNSSEC validation. Unfortunately now Postfix seems to be unable to verify DANE anymore. I always get only "Anonymous TLS connections" where I got "Verified" ones when using bind. Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump. I'm running Postfix 3.1.1 fwiw. Any idea? Thanks, Wolfgang From ietf-dane at dukhovni.org Mon Jul 11 22:38:16 2016 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 11 Jul 2016 20:38:16 +0000 Subject: Postfix and PDNS In-Reply-To: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> References: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> Message-ID: <20160711203816.GP23906@mournblade.imrryr.org> On Mon, Jul 11, 2016 at 10:16:47PM +0200, Wolfgang Rosenauer wrote: > Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it > seems that Postfix relies on the +AD flag to signal a DNSSEC validated > response but doesn't request it. I can only find a set DO bit in the > query's dump. Requesting "DO" is expected to subsume "AD". It does with BIND and "unbound". The libresolv API does not provide a mechanism to turn on the "AD" bit in requests made via res_search(3). The only relevant resolver flag RES_USE_DNSSEC turns on "DO", not "AD". You should probably use "unbound" or BIND as your validating resolver, PowerDNS is only compelling as an authoritative server. -- Viktor. From michael at stroeder.com Mon Jul 11 23:04:36 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 11 Jul 2016 23:04:36 +0200 Subject: Postfix and PDNS In-Reply-To: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> References: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> Message-ID: <578409E4.80906@stroeder.com> Wolfgang Rosenauer wrote: > I just switched to PowerDNS Recursor on my Postfix mailserver since > their latest version (4) now supports DNSSEC validation. > > Unfortunately now Postfix seems to be unable to verify DANE anymore. I > always get only "Anonymous TLS connections" where I got "Verified" ones > when using bind. > > Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it > seems that Postfix relies on the +AD flag to signal a DNSSEC validated > response but doesn't request it. I can only find a set DO bit in the > query's dump. Sorry for maybe asking the obvious: Did you turn on DNSSEC validation in your recursor.conf? dnssec=validate Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Mon Jul 11 23:08:33 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 11 Jul 2016 23:08:33 +0200 Subject: Postfix and PDNS In-Reply-To: <578409E4.80906@stroeder.com> References: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> <578409E4.80906@stroeder.com> Message-ID: <57840AD1.8070001@stroeder.com> Michael Str?der wrote: > Wolfgang Rosenauer wrote: >> I just switched to PowerDNS Recursor on my Postfix mailserver since >> their latest version (4) now supports DNSSEC validation. >> >> Unfortunately now Postfix seems to be unable to verify DANE anymore. I >> always get only "Anonymous TLS connections" where I got "Verified" ones >> when using bind. >> >> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it >> seems that Postfix relies on the +AD flag to signal a DNSSEC validated >> response but doesn't request it. I can only find a set DO bit in the >> query's dump. > > Sorry for maybe asking the obvious: > Did you turn on DNSSEC validation in your recursor.conf? > > dnssec=validate See also: https://doc.powerdns.com/md/recursor/settings/#dnssec Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From cs at sys4.de Mon Jul 11 23:12:35 2016 From: cs at sys4.de (Carsten Strotmann (sys4)) Date: Mon, 11 Jul 2016 23:12:35 +0200 Subject: Postfix and PDNS In-Reply-To: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> References: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> Message-ID: Hi Wolfgang, On 11/07/2016 22:16 PM, Wolfgang Rosenauer wrote: > Hi, > > I just switched to PowerDNS Recursor on my Postfix mailserver since > their latest version (4) now supports DNSSEC validation. > > Unfortunately now Postfix seems to be unable to verify DANE anymore. I > always get only "Anonymous TLS connections" where I got "Verified" ones > when using bind. > > Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it > seems that Postfix relies on the +AD flag to signal a DNSSEC validated > response but doesn't request it. I can only find a set DO bit in the > query's dump. > > I'm running Postfix 3.1.1 fwiw. > > Any idea? > > > Thanks, > Wolfgang > setting the AD-Bit without DO-Bit in a DNS query is a rather new addition to DNSSEC (Feb 2013 -- https://tools.ietf.org/html/rfc6840#page-10 ). It is used when a client just wants the AD-Bit in the response, without the DNSSEC records. Only quite new DNS resolver support this. The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9, Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks with the DO-Bit set, it will validate the data and return the DNSSEC-records plus the AD-Bit set in case all data validates. If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit set, it looks like the DNSSEC protocol is not implemented in a compatible way to existing software. -- Carsten From peter.van.dijk at powerdns.com Tue Jul 12 13:05:46 2016 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Tue, 12 Jul 2016 13:05:46 +0200 Subject: Postfix and PDNS In-Reply-To: References: <498f309d-eaca-f339-6971-55aa9a7152eb@an-netz.de> Message-ID: Hello, apologies if I am breaking the thread - I imported from the Mailman archive and thus have no message IDs. I am taking this opportunity to reply to two emails at once :) On 11 Jul 2016, at 22:38, ietf-dane at dukhovni.org wrote: > Requesting "DO" is expected to subsume "AD". It does with BIND > and "unbound". The libresolv API does not provide a mechanism to > turn on the "AD" bit in requests made via res_search(3). I have requested an enhancement for this at https://sourceware.org/bugzilla/show_bug.cgi?id=20358 > The only relevant resolver flag RES_USE_DNSSEC turns on "DO", not > "AD". I can see how that happened pre-RFC6840 but today this is an annoying limitation. I have the impression Postfix has a private ?clone? of res_*, so maybe Postfix could change to +AD? It would seriously reduce DNS response sizes for your TLSA queries. On 11 Jul 2016, at 23:12, cs at sys4.de wrote: > setting the AD-Bit without DO-Bit in a DNS query is a rather new > addition to DNSSEC (Feb 2013 -- > https://tools.ietf.org/html/rfc6840#page-10 ). > > It is used when a client just wants the AD-Bit in the response, > without > the DNSSEC records. Only quite new DNS resolver support this. In DNSSEC, there are only new resolvers. DNSSEC is too new to be running an old resolver. > The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9, > Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks > with > the DO-Bit set, it will validate the data and return the > DNSSEC-records > plus the AD-Bit set in case all data validates. Neither 4035 or 6840 are clear enough on this. But indeed all other implementations, including Google DNS, do validation + AD if DO is in the query. > If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit > set, > it looks like the DNSSEC protocol is not implemented in a compatible > way > to existing software. We did not expect anybody to rely on ?DO implies AD?, as we didn?t think that usage made any sense. In light of the glibc limitation however, we are going to accommodate ?older? clients, tracked at https://github.com/PowerDNS/pdns/issues/4159 Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/