PATCH: Glibc-2.31 DNSSEC and GCC 10

[Wietse Venema]

With the minnimal patch below, it looks like Postfix DANE support
will continue to work after a breaking change in Glibc 2.31. Tested
on Fedora 32 beta.

This patch also deals with the 'multiple definition' errors caused
by a breaking change in GCC 10. Also tested on Fedora 32 beta.

Plan is to release this in Postfix 3.6 (development release)
and then update the stable releases.

Demo:

./posttls-finger dukhovni.org
posttls-finger: using DANE RR: _25._tcp.smtp.dukhovni.org IN TLSA 3 1 1 
5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C
posttls-finger: Connected to smtp.dukhovni.org[100.2.39.101]:25
posttls-finger: < 220 straasha.imrryr.org ESMTP Postfix
posttls-finger: > EHLO localhost.localdomain
posttls-finger: < 250-straasha.imrryr.org
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 104857600
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: depth=0 matched end entity 
public-key sha256 
digest=5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25 CommonName 
mournblade.imrryr.org
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: 
subject_CN=mournblade.imrryr.org, issuer_CN=mournblade.imrryr.org, 
fingerprint=DF:53:67:E7:87:D8:4E:9A:FF:34:A2:92:36:F8:15:1F:2F:15:82:1B, 
pkey_fingerprint=98:40:01:98:0F:75:58:35:92:3B:07:94:CF:58:B9:FA:99:C5:06:F5
posttls-finger: Verified TLS connection established to 
smtp.dukhovni.org[100.2.39.101]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) 
server-digest SHA256
posttls-finger: > EHLO localhost.localdomain
posttls-finger: < 250-straasha.imrryr.org
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 104857600
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

Patch follows after the signature.

        Wietse

diff -ur /var/tmp/postfix-3.6-20200316/Makefile.in ./Makefile.in
--- /var/tmp/postfix-3.6-20200316/Makefile.in   2020-03-08 12:44:03.000000000 
-0400
+++ ./Makefile.in       2020-04-16 10:01:06.000000000 -0400
@@ -1,7 +1,7 @@
 # To test with valgrind:
 # make -i tests VALGRIND="valgrind --tool=memcheck --log-file=/some/where.%p" 
 SHELL  = /bin/sh
-WARN    = -Wmissing-prototypes -Wformat -Wno-comment
+WARN    = -Wmissing-prototypes -Wformat -Wno-comment -fcommon
 OPTS   = 'WARN=$(WARN)'
 DIRS   = src/util src/global src/dns src/tls src/xsasl src/master src/milter \
        src/postfix src/fsstone src/smtpstone \
diff -ur /var/tmp/postfix-3.6-20200316/makedefs ./makedefs
--- /var/tmp/postfix-3.6-20200316/makedefs      2020-02-02 11:09:17.000000000 
-0500
+++ ./makedefs  2020-04-16 10:01:25.000000000 -0400
@@ -1136,7 +1136,7 @@
 : ${CC=gcc} ${OPT='-O'} ${DEBUG='-g'} ${AWK=awk} \
 ${WARN='-Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \
        -Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
-       -Wunused -Wno-missing-braces'}
+       -Wunused -Wno-missing-braces -fcommon'}
 
 # Extract map type names from -DHAS_XXX compiler options.  We avoid
 # problems with tr(1) range syntax by using enumerations instead,
diff -ur /var/tmp/postfix-3.6-20200316/src/dns/dns.h ./src/dns/dns.h
--- /var/tmp/postfix-3.6-20200316/src/dns/dns.h 2017-12-27 17:29:44.000000000 
-0500
+++ ./src/dns/dns.h     2020-04-15 16:21:02.000000000 -0400
@@ -59,6 +59,7 @@
  */
 #ifdef NO_DNSSEC
 #undef RES_USE_DNSSEC
+#undef RES_TRUSTAD
 #endif
 
  /*
@@ -70,6 +71,9 @@
 #ifndef RES_USE_EDNS0
 #define RES_USE_EDNS0  0
 #endif
+#ifndef RES_TRUSTAD
+#define RES_TRUSTAD    0
+#endif
 
  /*-
   * TLSA: https://tools.ietf.org/html/rfc6698#section-7.1
diff -ur /var/tmp/postfix-3.6-20200316/src/dns/dns_lookup.c 
./src/dns/dns_lookup.c
--- /var/tmp/postfix-3.6-20200316/src/dns/dns_lookup.c  2019-12-15 
11:19:34.000000000 -0500
+++ ./src/dns/dns_lookup.c      2020-04-15 16:42:28.000000000 -0400
@@ -116,6 +116,9 @@
 /*     Request DNSSEC validation. This flag is silently ignored
 /*     when the system stub resolver API, resolver(3), does not
 /*     implement DNSSEC.
+/*     Automatically turns on the RES_TRUSTAD flag on systems that
+/*     support this flag (this behavior will be more configurable
+/*     in a later release).
 /* .RE
 /* .IP lflags
 /*     Flags that control the operation of the dns_lookup*()
@@ -458,10 +461,10 @@
     /*
      * Set extra options that aren't exposed to the application.
      */
-#define XTRA_FLAGS (RES_USE_EDNS0)
+#define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD)
 
     if (flags & RES_USE_DNSSEC)
-       flags |= RES_USE_EDNS0;
+       flags |= (RES_USE_EDNS0 | RES_TRUSTAD);
 
     /*
      * Can't append domains: we need the right SOA TTL.