Dan Mahoney:
> > If you enable DNSSEC lookups, Postfix will log a warning when the root
> > zone appears unsigned. See:
> >
> > http://www.postfix.org/postconf.5.html#dnssec_probe
> >
> > This feature is available in Postfix 3.6 and later. It was
> > backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
>
> This is a problem when your local resolver is slaving the root
> zone, as a standard root zone "type slave" will hand . NS out with
> the AA bit set, but will not set the AD bit.
In that case, you can configure 'dnssec_probe' with a different query.
Wietse
