On Sun, Sep 27, 2020 at 05:56:52PM -0400, Wietse Venema wrote:
> A draft manpage is below.
>
It looks very reasonable. The news might not reach the folks who
only search for particular queue ids in the logs, but shoehorning
a (say the MX lookup) DNSSEC status into each smtp delivery log
entry is likely too invasive.
Perhaps if we had an option to switch logging to JSON (nice job on
"postqueue -j", by the way, very useful that), then the JSON variant
might be able to report additional non-essential to most, but useful
to some, details.
> dnssec_probe (default: ns:.)
> The DNS query type (default: "ns") and DNS query name (default: ".")
> that Postfix may use to determine whether DNSSEC is available.
>
> When DNSSEC validation is unavailable, mail deliveries using oppor-
> tunistic DANE will not be protected by TLSA records, and mail deliver-
> ies using mandatory DANE will fail.
>
> Postfix will use the DNSSEC probe when a Postfix program requests
> DNSSEC validation, and the Postfix program did not receive a DNSSEC
> validated response to this query, or to an earlier query. Possible rea-
> sons for an insecure reply are:
>
> o The query name is in a DNS zone that has no DNSSEC signatures.
>
> o The local resolv.conf file points to a DNS resolver that does
> not validate DNSSEC signatures.
>
> o Some intermediate DNS resolver does not validate DNSSEC signa-
> tures.
>
> o The system library does not pass on the "DNSSEC is validated"
> bit to Postfix, perhaps because Postfix does not know how to ask
> the library to do that.
>
> By default, the DNSSEC probe asks for the DNS root zone NS records. If
> Postfix runs on a network where the DNS root zone is not reachable,
> specify a different probe, or specify an empty probe value to disable
> this feature.
>
> When the DNSSEC probe fails, or when Postfix receives a reply that is
> not DNSSEC validated, Postfix logs a warning that DNSSEC validation may
> be unavailable.
>
> This feature is available in Postfix 3.6 and later.
--
Viktor.
