Postfix and PDNS

Viktor Dukhovni ietf-dane at
Mon Jul 11 22:38:16 CEST 2016

On Mon, Jul 11, 2016 at 10:16:47PM +0200, Wolfgang Rosenauer wrote:

> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
> seems that Postfix relies on the +AD flag to signal a DNSSEC validated
> response but doesn't request it. I can only find a set DO bit in the
> query's dump.

Requesting "DO" is expected to subsume "AD".  It does with BIND
and "unbound".  The libresolv API does not provide a mechanism to
turn on the "AD" bit in requests made via res_search(3).

The only relevant resolver flag RES_USE_DNSSEC turns on "DO", not

You should probably use "unbound" or BIND as your validating
resolver, PowerDNS is only compelling as an authoritative server.


More information about the dane-users mailing list