On Mon, Jul 11, 2016 at 10:16:47PM +0200, Wolfgang Rosenauer wrote: > Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it > seems that Postfix relies on the +AD flag to signal a DNSSEC validated > response but doesn't request it. I can only find a set DO bit in the > query's dump.
Requesting "DO" is expected to subsume "AD". It does with BIND and "unbound". The libresolv API does not provide a mechanism to turn on the "AD" bit in requests made via res_search(3). The only relevant resolver flag RES_USE_DNSSEC turns on "DO", not "AD". You should probably use "unbound" or BIND as your validating resolver, PowerDNS is only compelling as an authoritative server. -- Viktor.