On Thu, Nov 17, 2016 at 10:18:01PM +0100, Walter Doekes wrote:
> >Postfix will not directly query the remote nameserver, and in indeed
> >with DANE you're supposed to be configured to *only* query the
> >local resolver. What resolver is that? And how is it configured?
> >
> >Once the A records come back insecure (AD=0), Postfix will not
> >query for TLSA records.
>
> Yes, I was aware that postfix doesn't do the recursion itself. The
> @remote-dns in the example was merely to clarify.
>
> You are right. I checked with bind9 as recursor today and it does two
> queries: first one that gets the FORMERR and then a second one without EDNS
> that succeeds. It'll happily pass along the succesful response to the
> original requestor.
>
> That looks like I have my DNS recursor to blame for the problem. It's a
> powerdns recursor, version 4.0.0~alpha2 if I'm not mistaken.
>
> I'll be forwarding the issue with the appropriate evidence there if it
> hasn't been fixed already.
Please post a summary with the resolution. If for some (unlikely)
reason you don't get an adequate answer from PowerDNS support, drop
me a note, I can reach out directly to the developers. Recursors
are expected to behave in the manner you observed with bind9.
--
Viktor.
