Postfix and PDNS

Michael Ströder michael at
Mon Jul 11 23:08:33 CEST 2016

Michael Ströder wrote:
> Wolfgang Rosenauer wrote:
>> I just switched to PowerDNS Recursor on my Postfix mailserver since
>> their latest version (4) now supports DNSSEC validation.
>> Unfortunately now Postfix seems to be unable to verify DANE anymore. I
>> always get only "Anonymous TLS connections" where I got "Verified" ones
>> when using bind.
>> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
>> seems that Postfix relies on the +AD flag to signal a DNSSEC validated
>> response but doesn't request it. I can only find a set DO bit in the
>> query's dump.
> Sorry for maybe asking the obvious:
> Did you turn on DNSSEC validation in your recursor.conf?
> dnssec=validate

See also:

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the dane-users mailing list