Postfix and PDNS
Carsten Strotmann (sys4)
cs at sys4.de
Mon Jul 11 23:12:35 CEST 2016
On 11/07/2016 22:16 PM, Wolfgang Rosenauer wrote:
> I just switched to PowerDNS Recursor on my Postfix mailserver since
> their latest version (4) now supports DNSSEC validation.
> Unfortunately now Postfix seems to be unable to verify DANE anymore. I
> always get only "Anonymous TLS connections" where I got "Verified" ones
> when using bind.
> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
> seems that Postfix relies on the +AD flag to signal a DNSSEC validated
> response but doesn't request it. I can only find a set DO bit in the
> query's dump.
> I'm running Postfix 3.1.1 fwiw.
> Any idea?
setting the AD-Bit without DO-Bit in a DNS query is a rather new
addition to DNSSEC (Feb 2013 --
It is used when a client just wants the AD-Bit in the response, without
the DNSSEC records. Only quite new DNS resolver support this.
The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9,
Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks with
the DO-Bit set, it will validate the data and return the DNSSEC-records
plus the AD-Bit set in case all data validates.
If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit set,
it looks like the DNSSEC protocol is not implemented in a compatible way
to existing software.
More information about the dane-users