Michael Ströder wrote: > Wolfgang Rosenauer wrote: >> I just switched to PowerDNS Recursor on my Postfix mailserver since >> their latest version (4) now supports DNSSEC validation. >> >> Unfortunately now Postfix seems to be unable to verify DANE anymore. I >> always get only "Anonymous TLS connections" where I got "Verified" ones >> when using bind. >> >> Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it >> seems that Postfix relies on the +AD flag to signal a DNSSEC validated >> response but doesn't request it. I can only find a set DO bit in the >> query's dump. > > Sorry for maybe asking the obvious: > Did you turn on DNSSEC validation in your recursor.conf? > > dnssec=validate
See also: https://doc.powerdns.com/md/recursor/settings/#dnssec Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
