11 Jul
2016
11 Jul
'16
11:08 p.m.
Michael Ströder wrote:
Wolfgang Rosenauer wrote:
I just switched to PowerDNS Recursor on my Postfix mailserver since their latest version (4) now supports DNSSEC validation.
Unfortunately now Postfix seems to be unable to verify DANE anymore. I always get only "Anonymous TLS connections" where I got "Verified" ones when using bind.
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump.
Sorry for maybe asking the obvious: Did you turn on DNSSEC validation in your recursor.conf?
dnssec=validate
See also:
https://doc.powerdns.com/md/recursor/settings/#dnssec
Ciao, Michael.