Hi, I just switched to PowerDNS Recursor on my Postfix mailserver since their latest version (4) now supports DNSSEC validation.
Unfortunately now Postfix seems to be unable to verify DANE anymore. I always get only "Anonymous TLS connections" where I got "Verified" ones when using bind. Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it seems that Postfix relies on the +AD flag to signal a DNSSEC validated response but doesn't request it. I can only find a set DO bit in the query's dump. I'm running Postfix 3.1.1 fwiw. Any idea? Thanks, Wolfgang