Hello Wolfgang,
Wolfgang Rosenauer writes:
Thanks for that hint. I guess this is exactly the issue. The recursive resolver for the smtp client is actually indeed also the authoritative dns for the target domain. This special case came absolutely unexpected to me though.
If the DNS server that is the owner of the data (the authoritative server) would also do the DNSSEC verification, not much security would be gained. It would be like having the treasurer and the auditor being the same person, not secure.
With DNSSEC, the validating resolver cannot be authoritative. A DNS server that is authoritative will respond with an AA (Authoritative Answer) flag, but never with AD (Authenticated Data).
I wrote an blog article on this topic some while ago: http://strotmann.de/roller/dnsworkshop/entry/dns_name_resolution_design_for
Best regard
Carsten