Author: Christian Eyrich Date: To: exim-users Subject: [exim] Failing for DNSSEC lookup
Hi there,
my exim installation is failing when I try forcing DNSSEC for DANE using
"dnssec_require_domains" for any domain.
I tried to solve this riddle but failed, so I ask you to please solve it
for me or give me hints what I can try to further debug it. Following
are the informations I already have.
Example from "exim -bd -d-all+route+transport+dns" when forced in the
router:
--------> dnslookup_secure router <--------
local_part=dnssectest1 domain=mailbox.org
checking domains
R: dnslookup_secure for dnssectest1@???
calling dnslookup_secure router
dnslookup_secure router called for dnssectest1@???
domain = mailbox.org
DNS lookup of mailbox.org (MX) succeeded
dnslookup_secure router: defer for dnssectest1@???
message: host lookup done insecurely
added retry item for R:dnssectest1@???: errno=-1 more_errno=0
flags=0
LOG: MAIN
== dnssectest1@??? R=dnslookup_secure defer (-1): host lookup
done insecurely
DNS server used is a system local installation of unbound which to my
knowledge works and validates correctly, e.g.
chris@momos:~$ unbound-host -vDr mailbox.org
mailbox.org has address 80.241.60.194 (secure)
mailbox.org has IPv6 address 2001:67c:2050:106::443:194 (secure)
mailbox.org mail is handled by 10 mx1.mailbox.org. (secure)
mailbox.org mail is handled by 50 mx-n.mailbox.org. (secure)
mailbox.org mail is handled by 20 mx3.mailbox.org. (secure)
mailbox.org mail is handled by 10 mx2.mailbox.org. (secure)
For exim it doesn’t matter if dns_dnssec_ok = 1 is set or not in exim4.conf.
Configuration: exim 4.94.2 on Debian Bullseye, GnuTLS 3.7.1