On 10/21/20 11:16 AM, Fred Morris wrote: > If DNSSEC isn't required for the domain(s) in question (or at least > postfix in this specific case) you might look at RPZ as a way of > rewriting just a single record in the zone: https://www.dnsrpz.info/
Demi M. Obenour: > You can also use a local validating recursive resolver (such as > Unbound) and inject a fake record yourself. Postfix doesn't validate > DNSSEC on its own. That said, I am not sure how to get Unbound to > lie about the AD bit. Postfix "requests" DNSSEC validation only when the TLS security level involves DANE support, so lack of DNSSEC validation for a SPECIFIC name x not necessarily a problem. However, Postfix 3.6 and later will try to determine if DNSSEC is available (by default, querying the root zone NS record) and will log a warning if the response is not DNSSEC validated. http://www.postfix.org/postconf.5.html#dnssec_probe So as long as unbound etc. are transparent for most of DNS, some selective rewriting should be OK. Wietse
