Postfix and PDNS
wolfgang.rosenauer at an-netz.de
Mon Jul 11 22:16:47 CEST 2016
I just switched to PowerDNS Recursor on my Postfix mailserver since
their latest version (4) now supports DNSSEC validation.
Unfortunately now Postfix seems to be unable to verify DANE anymore. I
always get only "Anonymous TLS connections" where I got "Verified" ones
when using bind.
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
seems that Postfix relies on the +AD flag to signal a DNSSEC validated
response but doesn't request it. I can only find a set DO bit in the
I'm running Postfix 3.1.1 fwiw.
More information about the dane-users