On 18/10/2017 3:56 PM, Viktor Dukhovni wrote:
>> dnssec-validation no;
>
> This is ignored for authoritative zones, and useful for recursive
> servers. So long as your server continues to provide both authoritative
> and recursive service (not a good idea), you should leave this in place.
>
>
> On Oct 17, 2017, at 5:58 AM, Mal wrote:
>
> Bingo. That information certainly explains the behavior observed.
>
> Does this therefore require DNSSEC-validation to be set to "no" (for the
> authoritative NS):
> dnssec-enable yes;
This must stay "yes" or else you DoS your domain.
> dnss
On 18/10/2017 1:17 AM, /dev/rob0 wrote:
> Um, validation is exclusively done on NON-authoritative lookup
> results. I'm not sure what you are thinking. In order:
This was pointed out previously.
> 1. dnssec-enable no; would prevent your BIND server from serving
> required records from a si
On Tue, Oct 17, 2017 at 08:28:02PM +1030, Mal wrote:
> On 17/10/2017 7:14 PM, Viktor Dukhovni wrote:
>
> > So it seems that the machine in question has the authoritative
> > server for the zone as its recursive server. Such mixing of
> > authoritative and recursive workloads is discouraged thes
On 17/10/2017 7:14 PM, Viktor Dukhovni wrote:
> So it seems that the machine in question has the authoritative
> server for the zone as its recursive server. Such mixing of
> authoritative and recursive workloads is discouraged these days,
> and critically, it breaks DANE in Postfix for any aut
> On Oct 17, 2017, at 3:58 AM, Mal wrote:
>
>> There's no such thing as "AD records".
>
> Was just a shortcut for 'Authoritative domain record'.
I've never seen that phrase before.
> The zone exists on that resolver and is queried directly.
> Will avoid lo[o]se english in future.
So it seem
On 17/10/2017 5:11 PM, Viktor Dukhovni wrote:
> The only way to find out they don't exist is to ask.
Very good.
> No TLSA records were found, perhaps because the "A" records were
> reported insecure, or because the TLSA records don't exist.
TLSA record is present. The sys4 Dane SMTP validato
On Tue, Oct 17, 2017 at 01:56:39PM +1030, Mal wrote:
> This MTA is a dual stack postfix machine, which also has a dual stack
> resolver running.
Not clear how this is relevant...
> When testing DANE to a remove IPv4 only MTA, I see an attempt to lookup
> a non-existent record by posttls-fin
Hello
This MTA is a dual stack postfix machine, which also has a dual stack
resolver running.
When testing DANE to a remove IPv4 only MTA, i see an attempt to lookup
a non-existent record by posttls-finger. The remote site has only
IPv4 records in the zone, except for the zone NS records,
