On Sat, Mar 16, 2024 at 11:04:46PM +0100, Dirk Stöcker via Postfix-users wrote:
> From the server which has the local name server the answer has the
> aa flag, but not the ad flag.
That's expected when the nameserver in question is authoritative for the
requested domain, no DNSSEC validation is performed, since the data is
(presumably) from a trusted source. It is up to recursive servers to
validate it as needed.
Your configuration where the same server is both authoritative and
recursive is not supported. The risk with trusting that AA-bit is that
the server might be a secondary server for the zone, with an insecure
channel for zone transfers, in which case the AA bit cannot be trusted.
Postfix only trusts the AD bit from a validating local resolver, and
trusting the AA bit would have be a new configuration option, but
simpler to never mix authoritative and recursive service in the same
nameserver process.
On my machine, the authoriative server (BIND) only listends on the
the ethernet IP interface, while the recursive server (unbound)
listends only on 127.0.0.1. It validates queries for my own domain,
just like for any other.
> So two tasks for me:
> a) fix the internal DNSSEC issue
Nothing to fix in DNSSEC, rather, split the auth and recursive
resolvers.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
