Postfix stable release 3.5.9 and legacy releases 3.4.19, postfix-3.3.16, 3.2.21
Runtime detection of DNSSEC support
This update improves the reporting of DNSSEC problems that may
affect DANE security. DNSSEC support may unavailable because of
local configuration, libc incompatibility, or other infrastructure
issues. This was backported from Postfix 3.6.
Background: DNSSEC validation is needed for Postfix DANE support;
this ensures that Postfix receives TLSA records with secure TLS
server certificate info. When DNSSEC validation is unavailable,
mail deliveries using opportunistic DANE (security level 'dane')
will not be protected by server certificate info in TLSA records,
and mail deliveries using mandatory DANE (security level 'dane-only')
will not be made at all.
This update introduces the following behavior: when a process
requests DNSSEC support (typically, for Postfix DANE support), the
process may now do a runtime test to determine if DNSSEC validation
The new dnssec_probe parameter specifies a DNS query type (default:
"ns") and DNS query name (default: ".") that Postfix may use to
determine whether DNSSEC validation is available. Specify an empty
value to disable this feature.
When dnssec_probe is enabled, a Postfix process will send a DNSSEC
probe after 1) the process made a DNS query that requested DNSSEC
validation, 2) the process did not receive a DNSSEC validated
response to this query or to an earlier query, and 3) the process
did not already send a DNSSEC probe.
When the DNSSEC probe has no response, or when the response is not
DNSSEC validated, Postfix logs a warning that DNSSEC validation may
be unavailable. Examples:
warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure
With this update, the Postfix build system will no longer automatically
disable DNSSEC support when it determines that Postfix will use
libc-musl. This removes the earlier libc-musl workaround introduced
with Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2.