I don't see the AD bit being set in your example? It is however set when I ask a DNSSEC aware resolver. Which Resolver are you asking? You localhost (127.0.0.1) may not be DNSSEC aware.
# dig mx4.unitybox.de +dnssec +multi ; <<>> DiG 9.9.5 <<>> mx4.unitybox.de +dnssec +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30525 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9 On 08/02/2017 14:04, Fasan, Stefan via Exim-users wrote: > Greetings > > Testing DANE with exim 4.88 and having issues. I'll attach my exim.conf at > the end of this mail. What am I missing here? Exim doesn't seem to be able to > resolve DNSSEC at all despite using a local pdns-recursor that returns good > DNSSEC signatures. I'd greatly appreciate any ideas that would point me in > the right direction as I seem to be completely stuck with this problem! > > Running CentOS6.7 > > 1) Exim 4.88 compiled with EXPERIMENTAL_dane = yes > 2) Using local pdns-recursor 4.x, dig returns good DNSSEC signature: > > dig mx4.unitybox.de +dnssec +multi > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> mx4.unitybox.de > +dnssec +multi > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13137 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;mx4.unitybox.de. IN A > > ;; ANSWER SECTION: > mx4.unitybox.de. 1998 IN A 80.69.98.122 > mx4.unitybox.de. 1998 IN RRSIG A 8 3 3600 20170219230330 ( > 20170120222301 19254 unitybox.de. > HPtLSwDpOuhtlt8t/4Jdve+yghm4jnOnrxnL31KU9bjl > xHdOK9XgQOrEaL0R20oNOIILwp226V+EJil1wl1teX0y > 51DivOWZzypUO9pGJjucjjxtPAPha23gGICxCqoZVLap > YXcwD71vp0fiHdwpm6Qz8c2NnH56Pa78GABxhAiidznt > FVZLi280xxgV7Viqcfw16RIsuDfr54b6b8nb2qXa4peF > 1F7zvjcCP62eGOskuvUr586ZFJZdpX5O4/aJgHwjWq7f > Zk3jvC3HSgCPXpmWx2/Yvzq8CFBNnClC1Ls8ctHpHAj2 > 9pc19EwQeoMEQrAVt9iXnUujVzHc4OvAzg== ) > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Wed Feb 8 12:51:35 2017 > ;; MSG SIZE rcvd: 359 > > 3) Exim fails to see DNSSEC for this example domain and returns "** > [email protected] R=dnslookup T=remote_smtp: DANE error: mx4.unitybox.de > lookup not DNSSEC" > 4) resolv.conf only contains 127.0.0.1 (local pdns-recursor) > 5) Here is my exim.conf. it's a bit messy because I use it for testing in a > DEV environment at the moment. > > > ########## > ## MAIN ## > ########## > > local_interfaces = 172.31.111.107 > primary_hostname = ********* > smtp_banner = "${primary_hostname******" > domainlist local_domains = @ : localhost : localhost.localdomain > domainlist relay_to_domains = * > hostlist relay_from_hosts = 127.0.0.1 : 172.31.111.0/24 > #acl_smtp_mail = acl_check_mail > acl_smtp_rcpt = acl_check_rcpt > acl_smtp_data = acl_check_data > #acl_smtp_mime = acl_check_mime > tls_certificate = /etc/pki/tls/certs/exim.pem > tls_privatekey = /etc/pki/tls/private/exim.pem > daemon_smtp_ports = 25 > never_users = root > auth_advertise_hosts = > rfc1413_hosts = * > rfc1413_query_timeout = 0s > ignore_bounce_errors_after = 3h > timeout_frozen_after = 3h > message_size_limit = 35M > smtp_return_error_details=yes > smtp_accept_max = 1000 > smtp_accept_queue_per_connection = 1500 > log_selector = +dnssec -queue_run > log_file_path = /var/log/exim/%s-%D.log > keep_environment = > ### testing DANE support here > dns_dnssec_ok = 1 > > ######### > ## ACL ## > ######### > > begin acl > acl_check_mail: > deny condition = ${if eq{$sender_helo_name}{} {1}} > message = Nice boys say HELO first > > acl_check_rcpt: > # accept hosts = : > # control = dkim_disable_verify > > # deny message = Restricted characters in address > # domains = +local_domains > # local_parts = ^[.] : ^.*[@%!/|] > # deny message = Restricted characters in address > # domains = !+local_domains > # local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ > > # accept local_parts = postmaster > # domains = +local_domains > # accept hosts = +relay_from_hosts > # control = submission > # control = dkim_disable_verify > # accept authenticated = * > # control = submission > # control = dkim_disable_verify > # require message = relay not permitted > # domains = +local_domains : +relay_to_domains > accept > > acl_check_data: > accept > > acl_check_mime: > accept > > > ############# > ## ROUTERS ## > ############# > > begin routers > bounce: > driver = manualroute > condition = ${if eq{$sender_address}{$bounce_recipient}} > transport = bounce_transport > route_list = * 172.31.111.119 > #route_data = 172.31.218.242 > pass_on_timeout > no_more > dnslookup: > driver = dnslookup > domains = ! +local_domains > transport = remote_smtp > dnssec_request_domains = * > ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 > pass_on_timeout > # fallback_hosts = 172.31.111.119 > no_more > #fallback_DNS_timeout: > # driver = manualroute > # route_data = 172.31.111.119 > # transport = remote_smtp > # no_more > > system_aliases: > driver = redirect > allow_fail > allow_defer > data = ${lookup{$local_part}lsearch{/etc/aliases}} > file_transport = address_file > pipe_transport = address_pipe > userforward: > driver = redirect > check_local_user > file = $home/.forward > allow_filter > no_verify > no_expn > check_ancestor > file_transport = address_file > pipe_transport = address_pipe > reply_transport = address_reply > procmail: > driver = accept > check_local_user > require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail > transport = procmail > no_verify > localuser: > driver = accept > check_local_user > transport = local_delivery > cannot_route_message = Unknown user > > > ################ > ## TRANSPORTS ## > ################ > > begin transports > bounce_transport: > driver = smtp > remote_smtp: > driver = smtp > connection_max_messages = 5 > ### testing DANE here > hosts_require_dane = * > procmail: > driver = pipe > command = "/usr/bin/procmail -d $local_part" > return_path_add > delivery_date_add > envelope_to_add > user = $local_part > initgroups > return_output > local_delivery: > driver = appendfile > file = /var/mail/$local_part > delivery_date_add > envelope_to_add > return_path_add > group = mail > mode = 0660 > address_pipe: > driver = pipe > return_output > address_file: > driver = appendfile > delivery_date_add > envelope_to_add > return_path_add > address_reply: > driver = autoreply > > ################## > ## RETRY & MISC ## > ################## > > begin retry > * * F,8h,5m; > begin rewrite > begin authenticators > > > > Best Regards, > > -- > Stefan Fasan > > Information gemäß § 14 Unternehmensgesetzbuch: UPC Austria GmbH, Firmensitz: > Wolfganggasse 58-60, 1120 Wien, Firmenbuchnummer: FN 251865s, Handelsgericht > Wien. -- Mark James ELKINS - Posix Systems - (South) Africa [email protected] Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
