On Sun, Mar 28, 2021 at 01:08:44AM +0100, Francesc Peñalvez wrote:
> Right now dnssec is activated in the external manager zoneedit.com, in
> which I cannot modify the type of encryption or the length of the key.
If there are no key size or algorithm settings in zoneedit.com, then
indeed you're set. The largish ZSK is typically OK, just risks some
trouble with UDP fragmentation for a small fraction of clients on
networks that doesn't work well.
> And if I am looking to activate inbound and outbound dnssec with my postfix
There is no such thing as inbound DNSSEC specifically for Postfix. If
your domain is signed, then validating resolvers will check the
signatures as a routine part of MX and A/AAAA lookups.
For outbound DNSSEC, just turn on DNSSEC validation in your local
resolver. There again nothing Postfix-specific to be done.
DNSSEC only comes into play if you're looking to do DANE.
http://www.postfix.org/TLS_README.html#client_tls_dane
See also the resource links at:
https://stats.dnssec-tools.org/explore/?.
--
Viktor.
