Dan Mahoney: > > If you enable DNSSEC lookups, Postfix will log a warning when the root > > zone appears unsigned. See: > > > > http://www.postfix.org/postconf.5.html#dnssec_probe > > > > This feature is available in Postfix 3.6 and later. It was > > backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. > > This is a problem when your local resolver is slaving the root > zone, as a standard root zone "type slave" will hand . NS out with > the AA bit set, but will not set the AD bit.
In that case, you can configure 'dnssec_probe' with a different query. Wietse