Postfix and PDNS
Michael Ströder
michael at stroeder.com
Mon Jul 11 23:08:33 CEST 2016
Michael Ströder wrote:
> Wolfgang Rosenauer wrote:
>> I just switched to PowerDNS Recursor on my Postfix mailserver since
>> their latest version (4) now supports DNSSEC validation.
>>
>> Unfortunately now Postfix seems to be unable to verify DANE anymore. I
>> always get only "Anonymous TLS connections" where I got "Verified" ones
>> when using bind.
>>
>> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
>> seems that Postfix relies on the +AD flag to signal a DNSSEC validated
>> response but doesn't request it. I can only find a set DO bit in the
>> query's dump.
>
> Sorry for maybe asking the obvious:
> Did you turn on DNSSEC validation in your recursor.conf?
>
> dnssec=validate
See also:
https://doc.powerdns.com/md/recursor/settings/#dnssec
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20160711/c74ad6eb/attachment.p7s>
More information about the dane-users
mailing list