On Tue, 25 Feb 2014, Viktor Dukhovni wrote:
smtp_dns_support_level = dnssec
was enough to fix this. I'll see how many servers will have a
"Verified" connection in the future.
I hope you read the note about the importance of having 127.0.0.1
and/or ::1 as the only nameservers listed in /etc/resolv.conf, and
No, did not read it, but this was obvious :-)
of course the local recursive resolver needs to be configured to
do DNSSEC validation.
Was much easier to do the positive test, than the negative one.
A note to others having the same problem: Resolving www.dnssec-failed.org
(e.g. "dig www.dnssec-failed.org") should NOT result in a answer for the A
record.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
