Postfix and PDNS

Carsten Strotmann (sys4) cs at
Mon Jul 11 23:12:35 CEST 2016

Hi Wolfgang,

On 11/07/2016 22:16 PM, Wolfgang Rosenauer wrote:
> Hi,
> I just switched to PowerDNS Recursor on my Postfix mailserver since
> their latest version (4) now supports DNSSEC validation.
> Unfortunately now Postfix seems to be unable to verify DANE anymore. I
> always get only "Anonymous TLS connections" where I got "Verified" ones
> when using bind.
> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
> seems that Postfix relies on the +AD flag to signal a DNSSEC validated
> response but doesn't request it. I can only find a set DO bit in the
> query's dump.
> I'm running Postfix 3.1.1 fwiw.
> Any idea?
> Thanks,
>  Wolfgang

setting the AD-Bit without DO-Bit in a DNS query is a rather new
addition to DNSSEC (Feb 2013 -- ).

It is used when a client just wants the AD-Bit in the response, without
the DNSSEC records. Only quite new DNS resolver support this.

The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9,
Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks with
the DO-Bit set, it will validate the data and return the DNSSEC-records
plus the AD-Bit set in case all data validates.

If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit set,
it looks like the DNSSEC protocol is not implemented in a compatible way
to existing software.

-- Carsten

More information about the dane-users mailing list