Hi Wolfgang,
On 11/07/2016 22:16 PM, Wolfgang Rosenauer wrote:
Hi,
I just switched to PowerDNS Recursor on my Postfix mailserver since their latest version (4) now supports DNSSEC validation.
Unfortunately now Postfix seems to be unable to verify DANE anymore. I always get only "Anonymous TLS connections" where I got "Verified" ones when using bind.
Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump.
I'm running Postfix 3.1.1 fwiw.
Any idea?
Thanks, Wolfgang
setting the AD-Bit without DO-Bit in a DNS query is a rather new addition to DNSSEC (Feb 2013 -- https://tools.ietf.org/html/rfc6840#page-10 ).
It is used when a client just wants the AD-Bit in the response, without the DNSSEC records. Only quite new DNS resolver support this.
The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9, Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks with the DO-Bit set, it will validate the data and return the DNSSEC-records plus the AD-Bit set in case all data validates.
If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit set, it looks like the DNSSEC protocol is not implemented in a compatible way to existing software.
-- Carsten