#14528: postfix-3.5.9
-------------------------+-----------------------
Reporter: renodr | Owner: renodr
Type: enhancement | Status: assigned
Priority: normal | Milestone: 10.1
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+-----------------------
Comment (by renodr):
{{{
Runtime detection of DNSSEC support
This update improves the reporting of DNSSEC problems that may affect DANE
security. DNSSEC support may unavailable because of local configuration,
libc incompatibility, or other infrastructure issues. This was backported
from Postfix 3.6.
Background: DNSSEC validation is needed for Postfix DANE support; this
ensures that Postfix receives TLSA records with secure TLS server
certificate info. When DNSSEC validation is unavailable, mail deliveries
using opportunistic DANE (security level 'dane') will not be protected by
server certificate info in TLSA records, and mail deliveries using
mandatory DANE (security level 'dane-only') will not be made at all.
This update introduces the following behavior: when a process requests
DNSSEC support (typically, for Postfix DANE support), the process may now
do a runtime test to determine if DNSSEC validation is available.
The new dnssec_probe parameter specifies a DNS query type (default: "ns")
and DNS query name (default: ".") that Postfix may use to determine
whether DNSSEC validation is available. Specify an empty value to disable
this feature.
When dnssec_probe is enabled, a Postfix process will send a DNSSEC probe
after 1) the process made a DNS query that requested DNSSEC validation, 2)
the process did not receive a DNSSEC validated response to this query or
to an earlier query, and 3) the process did not already send a DNSSEC
probe.
When the DNSSEC probe has no response, or when the response is not DNSSEC
validated, Postfix logs a warning that DNSSEC validation may be
unavailable. Examples:
warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not
DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure
With this update, the Postfix build system will no longer automatically
disable DNSSEC support when it determines that Postfix will use libc-musl.
This removes the earlier libc-musl workaround introduced with Postfix
3.2.15, 3.3.10, 3.4.12, and 3.5.2.
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/14528#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
