11 Jul
2016
11 Jul
'16
10:38 p.m.
On Mon, Jul 11, 2016 at 10:16:47PM +0200, Wolfgang Rosenauer wrote:
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump.
Requesting "DO" is expected to subsume "AD". It does with BIND and "unbound". The libresolv API does not provide a mechanism to turn on the "AD" bit in requests made via res_search(3).
The only relevant resolver flag RES_USE_DNSSEC turns on "DO", not "AD".
You should probably use "unbound" or BIND as your validating resolver, PowerDNS is only compelling as an authoritative server.
--
Viktor.