El 27/03/2021 a las 13:34, Viktor Dukhovni escribió:
On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote:I have the dns of the domain managed externally, configured with dnssec, and another host running postfix. How could I integrate that postfix use the dnssec configuration? Would it be enough to add the dns of the external service to the postfix resolv.conf?As written, the question makes no sense. You'll need to explain your goals in more detail. - If your domain is already signed, then clients resolving data about your domain are able (when suitably configured) to validate the integrity of that data. - If you're looking to use DNSSEC as a client, to validate DNS records of remote domains, all you need is a local (running on the Postfix server itself, listening on 127.0.0.1:53) validating resolver, such as unbound, Knot, BIND, ... * The DNSSEC status of your own domain is irrelevant for validating remote domains. * Validating remote domains does not directly do anything to ensure data integrity for your own domains when queried by others. See: https://stats.dnssec-tools.org/explore/?almogavers.net https://dnsviz.net/d/almogavers.net/YFjc3g/dnssec/ I would perhaps recommed either switching to algorithm 13 (ECDSA P256), which has better security at a lower key size, or use a ZSK that is shorter than 2048 bits (1280 bits is what .COM uses), which tends to be a bit too large for unfragmented UDP when responses carry multiple signatures (e.g. NSEC3 negative answers). Fragmented UDP is not reliable these days over wide-area networks. For small zones with no names to hide, just use NSEC.
smime.p7s
Description: Firma criptográfica S/MIME
