Postfix and PDNS
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jul 11 22:38:16 CEST 2016
On Mon, Jul 11, 2016 at 10:16:47PM +0200, Wolfgang Rosenauer wrote:
> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
> seems that Postfix relies on the +AD flag to signal a DNSSEC validated
> response but doesn't request it. I can only find a set DO bit in the
> query's dump.
Requesting "DO" is expected to subsume "AD". It does with BIND
and "unbound". The libresolv API does not provide a mechanism to
turn on the "AD" bit in requests made via res_search(3).
The only relevant resolver flag RES_USE_DNSSEC turns on "DO", not
"AD".
You should probably use "unbound" or BIND as your validating
resolver, PowerDNS is only compelling as an authoritative server.
--
Viktor.
More information about the dane-users
mailing list