Viktor Dukhovni via Postfix-users wrote in <z6r8eqr7lmw6w...@chardros.imrryr.org>: |On Mon, Feb 10, 2025 at 04:14:36PM +0100, Danjel Jungersen via Postfix-u\ |sers wrote: ... |If so, that's pretty simple, you need a local DNSSEC validating resolver |(BIND, unbound, knot, not systemd-resolved or dns-masq).
Why not dnsmasq? $ dig +dnssec @127.0.0.1 postfix.org DNSKEY ; <<>> DiG 9.20.5 <<>> +dnssec @127.0.0.1 postfix.org DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5256 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;postfix.org. IN DNSKEY ;; ANSWER SECTION: postfix.org. 900 IN DNSKEY 257 3 13 i/mbxbkeB1dIBk92OJoVmcQJP8HQzGqm7LDqmaUusqmexdeGLe1qbHTM +FP83JjcBN0VZNbQBT2077QgMNAKIw== postfix.org. 900 IN DNSKEY 256 3 13 J0jDckCF1wK/deFpt40cOiamhyhvf+vB0T/MT7xtTOC1qrPQyFkqwAAZ 4MoMx3Ob83HIGmG/GfqaCXKa80zgqw== postfix.org. 900 IN RRSIG DNSKEY 13 2 900 20250223211234 20250209202427 60454 postfix.org. PnTs9OAvPcSqQT/LB1+Sxwg5TYKOWxLVuoOk5IQ9i0T7R7/rU/c+PpuI tPJYbKZsnCuccxkmDsvXlxmtuqGuKw== This works? (dnsmasq had a CVE (i think, anyway: breach) regarding DNSSEC and now logs more entries than ever: Feb 11 12:03:00 dnsmasq[3005]: queries for authoritative zones .. Feb 11 12:03:00 dnsmasq[3005]: DNSSEC per-query subqueries HWM .. Feb 11 12:03:00 dnsmasq[3005]: DNSSEC per-query crypto work HWM .. Feb 11 12:03:00 dnsmasq[3005]: DNSSEC per-RRSet signature fails HWM ..) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | |In Fall and Winter, feel "The Dropbear Bard"s pint(er). | |The banded bear |without a care, |Banged on himself for e'er and e'er | |Farewell, dear collar bear _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
