Thank you Victor, but the code in the mail log is 450 which, whether it is generated by the DNS or postfix is still a "try again later."
My post to the group is a "thank you" not a "I need help." We run our own DNS which is authoritative for our domain and uses root hints to retrieve addresses for hosts off our domain. I configured DNSSEC to handle the domains that were failing lookup. Anyway, thanks to all. John ---------------------------------------- Mar 7, 2025 11:58:26 PM Viktor Dukhovni via Postfix-users <postfix-users@postfix.org>: > On Fri, Mar 07, 2025 at 02:38:23PM -0500, John Griffiths via Postfix-users > wrote: > >> As Wietse said, the resolver (bind) was bouncing emails from hosts >> that failed DNSSEC. > > Not bouncing mails, perhaps failing to resolve the domain. If you're on > a RedHat system, you need to tweak the crypto policy and run a recent > version of the resolver. I have: > > # update-crypto-policies --show > DEFAULT:SHA1 > >> Some domains are using an old algorithm that is no longer accepted by >> the current DNSSEC default configuration. > > This is RedHat-specific. While the SHA1 algorithms are deprecated, > they're still expected to work at present. > >> Three I have found are: comcast.net (algorithm 5), medicare.gov >> (algorithm 7), and usps.gov (algorithm 7). > > See below. Algorithm 7 use is at ~0.5% of signed zones, while algorithm > 5 is at ~0.08%. I do hope that comcast.net will consider switching to > algorithm 13 (or 8) sooner rather than later. > >> The current recommended algorithms are 14, 15, and 16 with 15 being >> preferred according to RFC 8624 sec. 3.1. > > No, the MTI algorithms are 8 and 13. Algorithm 14 is just a needlessly > slow and bloated version of 13 for those who unwisely believe that > larger keys are always better. While 15 (Ed25519) is technically a fine > alternative to P-256, it does not yet have quite the broad support, so > is still somewhat bleeding edge with an ~1-2% share of signed domains. > > https://stats.dnssec-tools.org/#/?top=parameters&dnssec_param_tab=0 > > Alg Flags Proto #Domains > 13 257 3 11799492 > 8 257 3 10006886 > 15 257 3 392929 > 10 257 3 194926 > 14 257 3 154452 > 7 257 3 113254 > 5 257 3 17789 > > -- > Viktor. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
