On 10/21/20 11:16 AM, Fred Morris wrote: > If DNSSEC isn't required for the domain(s) in question (or at least postfix > in this specific case) you might look at RPZ as a way of rewriting just a > single record in the zone: https://www.dnsrpz.info/
You can also use a local validating recursive resolver (such as Unbound) and inject a fake record yourself. Postfix doesn't validate DNSSEC on its own. That said, I am not sure how to get Unbound to lie about the AD bit. Demi
OpenPGP_0xB288B55FFF9C22C1.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
