Wolfgang Rosenauer wrote: > I just switched to PowerDNS Recursor on my Postfix mailserver since > their latest version (4) now supports DNSSEC validation. > > Unfortunately now Postfix seems to be unable to verify DANE anymore. I > always get only "Anonymous TLS connections" where I got "Verified" ones > when using bind. > > Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it > seems that Postfix relies on the +AD flag to signal a DNSSEC validated > response but doesn't request it. I can only find a set DO bit in the > query's dump.
Sorry for maybe asking the obvious: Did you turn on DNSSEC validation in your recursor.conf? dnssec=validate Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
