Hi Wolfgang, On 11/07/2016 22:16 PM, Wolfgang Rosenauer wrote: > Hi, > > I just switched to PowerDNS Recursor on my Postfix mailserver since > their latest version (4) now supports DNSSEC validation. > > Unfortunately now Postfix seems to be unable to verify DANE anymore. I > always get only "Anonymous TLS connections" where I got "Verified" ones > when using bind. > > Apparently and somewhat confirmed by tcpdump and the PowerDNS guys it > seems that Postfix relies on the +AD flag to signal a DNSSEC validated > response but doesn't request it. I can only find a set DO bit in the > query's dump. > > I'm running Postfix 3.1.1 fwiw. > > Any idea? > > > Thanks, > Wolfgang >
setting the AD-Bit without DO-Bit in a DNS query is a rather new addition to DNSSEC (Feb 2013 -- https://tools.ietf.org/html/rfc6840#page-10 ). It is used when a client just wants the AD-Bit in the response, without the DNSSEC records. Only quite new DNS resolver support this. The original DNSSEC standard RFC 4033-4035 as implemented in BIND 9, Unbound, MS DNS and other DNS resovlers, when a stub-resolver asks with the DO-Bit set, it will validate the data and return the DNSSEC-records plus the AD-Bit set in case all data validates. If PowerDNS recursor does not set the AD-Bit on a query with DO-Bit set, it looks like the DNSSEC protocol is not implemented in a compatible way to existing software. -- Carsten
