OK, i just have these two:

        dnssec-enable yes;
        dnssec-validation auto;

And i cannot configure this by hand!

Huh!!! No forwarder? So for any DNS query my Resolver must ask the Root-DNS-Servers?


Regards!
Frank

Am 20.01.2015 um 13:51 schrieb Benny Pedersen <me@junc.eu>:

Andreas Schulze skrev den 2015-01-20 13:08:
Am 20.01.2015 11:48 schrieb Frank Fiene:
dig gives me the ad flag so my resolving chain should be fine.
But if i send an email to the list, i still get no „Verified“ in my postfix log.
smtp_dns_support_level = dnssec ?
smtp_tls_security_level = dane ?

and in named.conf

dnssec-enable yes;
dnssec-lookaside auto;
dnssec-validation auto;

2 last options must not be yes, this will disable dane, with auto dane works

in resolv.conf only have nameserver 127.0.0.1

and bind9 must not have any forwarders !

Viele Grüße!
i.A. Frank Fiene
-- 
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene@veka.com
http://www.veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster