Earlier this year there was a thread about Postfix failing to notice
that some TLSA record was corrupted, because
- Postfix was configured to use opportunistic DANE, which ignores
TLSA records when they aren't DNSSEC validated.
- Some system library API did not indicate whether responses were
DNSSEC validated, therefore Postfix ignored all TLSA records.
This happened with libc-musl, and with glibc.
Of course Postfix would refuse to deliver to destinations that are
configured to use "mandatory DANE", because that requires DNSSEC
validated TLSA records.
I am implementing code where Postfix will try to find out if DNSSEC
validation is available. This may explain why "mandatory DANE"
does not work, and why opportunistic DANE will be a NOOP.
A draft manpage is below.
Wietse
dnssec_probe (default: ns:.)
The DNS query type (default: "ns") and DNS query name (default: ".")
that Postfix may use to determine whether DNSSEC is available.
When DNSSEC validation is unavailable, mail deliveries using oppor-
tunistic DANE will not be protected by TLSA records, and mail deliver-
ies using mandatory DANE will fail.
Postfix will use the DNSSEC probe when a Postfix program requests
DNSSEC validation, and the Postfix program did not receive a DNSSEC
validated response to this query, or to an earlier query. Possible rea-
sons for an insecure reply are:
o The query name is in a DNS zone that has no DNSSEC signatures.
o The local resolv.conf file points to a DNS resolver that does
not validate DNSSEC signatures.
o Some intermediate DNS resolver does not validate DNSSEC signa-
tures.
o The system library does not pass on the "DNSSEC is validated"
bit to Postfix, perhaps because Postfix does not know how to ask
the library to do that.
By default, the DNSSEC probe asks for the DNS root zone NS records. If
Postfix runs on a network where the DNS root zone is not reachable,
specify a different probe, or specify an empty probe value to disable
this feature.
When the DNSSEC probe fails, or when Postfix receives a reply that is
not DNSSEC validated, Postfix logs a warning that DNSSEC validation may
be unavailable.
This feature is available in Postfix 3.6 and later.
