Postfix and PDNS
Carsten Strotmann (sys4)
cs at sys4.de
Mon Jul 11 23:12:35 CEST 2016
Hi Wolfgang,
On 11/07/2016 22:16 PM, Wolfgang Rosenauer wrote:
> Hi,
>
> I just switched to PowerDNS Recursor on my Postfix mailserver since
> their latest version (4) now supports DNSSEC validation.
>
> Unfortunately now Postfix seems to be unable to verify DANE anymore. I
> always get only "Anonymous TLS connections" where I got "Verified" ones
> when using bind.
>
> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it
> seems that Postfix relies on the +AD flag to signal a DNSSEC validated
> response but doesn't request it. I can only find a set DO bit in the
> query's dump.
>
> I'm running Postfix 3.1.1 fwiw.
>
> Any idea?
>
>
> Thanks,
> Wolfgang
>
setting the AD-Bit without DO-Bit in a DNS query is a rather new
addition to DNSSEC (Feb 2013 --
https://tools.ietf.org/html/rfc6840#page-10 ).
It is used when a client just wants the AD-Bit in the response, without
the DNSSEC records. Only quite new DNS resolver support this.
The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9,
Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks with
the DO-Bit set, it will validate the data and return the DNSSEC-records
plus the AD-Bit set in case all data validates.
If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit set,
it looks like the DNSSEC protocol is not implemented in a compatible way
to existing software.
-- Carsten
More information about the dane-users
mailing list