Re: Postfix not accepting DANE secured peer

Am 30.01.2015 um 09:10 schrieb Viktor Dukhovni:

• Your C library may not return the "AD" bit in DNSSEC replies

(OpenBSD seems to have this problem).

This may also be the case if your resolver is also authorative for your domain. Then it wont do recursive validation and will not include the AD flag.

There is a LD_PRELOAD wrapper called cwrap/resolv_wrapper which allows to overwrite the resolver per process without changing global resolv.conf:

http://www.cwrap.org/

It was written for samba. I had to add the following patch to make it work with postfix:

https://markusbenning.de/tmp/0001-res_-n-xxx-functions-should-use-global-_re...

Markus