Postfix and PDNS

Wolfgang Rosenauer wolfgang.rosenauer at an-netz.de
Mon Jul 11 22:16:47 CEST 2016


Hi,

I just switched to PowerDNS Recursor on my Postfix mailserver since
their latest version (4) now supports DNSSEC validation.

Unfortunately now Postfix seems to be unable to verify DANE anymore. I
always get only "Anonymous TLS connections" where I got "Verified" ones
when using bind.

Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
seems that Postfix relies on the +AD flag to signal a DNSSEC validated
response but doesn't request it. I can only find a set DO bit in the
query's dump.

I'm running Postfix 3.1.1 fwiw.

Any idea?


Thanks,
 Wolfgang



More information about the dane-users mailing list