On 17/10/2017 7:14 PM, Viktor Dukhovni wrote:
> So it seems that the machine in question has the authoritative > server for the zone as its recursive server. Such mixing of > authoritative and recursive workloads is discouraged these days, > and critically, it breaks DANE in Postfix for any authoritative > zones, because authoritative servers are not validating resolvers, > and don't set the AD bit in authoritative replies. Bingo. That information certainly explains the behavior observed. Does this therefore require DNSSEC-validation to be set to "no" (for the authoritative NS): dnssec-enable yes; dnssec-validation no; dnssec-lookaside auto; > The A record is not seen as "secure" by Postfix. Got it. > On my server the authoritative BIND nameserver listens on the > external public IP address, while the validating unbound resolver > listens on 127.0.0.1 and the internal network interface. The > "/etc/resolv.conf" file lists 127.0.0.1, so DNS queries from > applications go to unbound, not BIND. The "unbound" server > is configured to do DNSSEC validation, and queries BIND setting > the "ad" bit as/when appropriate. > > The BIND server refuses recursion, while the unbound server > serves no authoritative zones. Mal
