Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Apr 2020 11:25:41 +0200
From: Christian <>
Subject: Resolver routines, Postfix DNSSEC troubles - how to check for

Hi there,

I am having an issue in my alpine docker setup with Postfix. I
activated DANE for my server and did some tests if E-Mails are handled
correctly. In that I found the outgoing mails to fail using DANE.

Investigating the issue with Viktor Dukhovni over at postfix-users, we
figured, that Postfix has troubles recognising the DANE parameters of
the target server I am sending my E-Mails to. If you are interested in the conversation:

In the tcpdumps we could figure, that no DNSSEC flags are in the
request by Postfix, hence not getting the information to properly do
DANE. That explains the failure of DANE, however not why this is

I am no programmer, hence not sure about libc etc. but Viktors last
"When Postfix is configured with "smtp_dns_support_level = dnssec", the
RES_USE_DNSSEC and RES_USE_EDNS0 flags are set around calls to the
resolver routines.  If your C-library (perhaps only inside docker) has
an incopatible resolver API, then you'll need a more compatible
resolver library and/or a different container technology."

In comparison using dig to check for DNSSEC out of the same container
based on alpine works. However I do not know if the request is
constructed the same way.

So the question is now on how we can go about this to figure if there
is an incompatibility?

Kind regards

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.