Please enable JavaScript to view this site.

MDaemon Email Server 24.5

Navigation: Security Menu > Security Manager > SSL & TLS

DNSSEC

Scroll Prev Top Next More

The DNSSEC (DNS Security Extensions) option allows MDaemon to act as a Non-Validating Security-Aware Stub Resolver, which is defined in RFCs 4033 and 4035 as "an entity that sends DNS queries, receives DNS responses, and is capable of establishing an appropriately secured channel to a security-aware recursive name server that will provide these services on behalf of the security-aware stub resolver." What this means is that during MDaemon's DNS queries it can request DNSSEC service from your DNS servers, setting the AD (Authentic Data) bit in the queries and checking for it in the answers. This can provide an additional level of security during the DNS process for some messages, although not all, because DNSSEC is not yet supported by all DNS servers or for all top-level domains.

When enabled, DNSSEC service is only applied to messages that meet your selection criteria; it can be requested or required as broadly or narrowly as you choose. Simply designate any "Header Value" combinations you choose on this screen and MDaemon will request DNSSEC service for any messages matching that criteria whenever performing a DNS query. When the DNS results fail to include authenticated data then no negative consequences result; MDaemon simply falls back to normal DNS behavior. If, however, you wish to require DNSSEC for certain messages, add "SECURE" to the header/value combination (e.g. To *@example.net SECURE). For those messages, when the DNS results fail to include authenticated data, the message will be bounced back to the sender. Note: Because DNSSEC lookups take more time and resources, and because DNSSEC is not yet supported by all servers, MDaemon is not configured to apply DNSSEC to every message delivery by default. However, if you wish to request DNSSEC for every message you can do so by included "To *" in your criteria.

Mail session logs will include a line at the top if DNSSEC service was used and "DNSSEC" will appear next to secure data in the logs.

Because MDaemon is a non-validating stub-resolver, it will request authenticated data from your DNS server but it has no way to independently verify that the data it gets from the server is secure. For this reason, to successfully use the DNSSEC option you must ensure that you trust your connection to your DNS server. For example, it runs on localhost or within a secure LAN or workplace.