* Wietse Venema: > Vladimir Lomov: >> I'm a bit bewildered. Does this mean that all is Ok with glibc 2.31 with >> 'options trust-ad' and postfix 3.5.0 or it is depend strongly on used >> 'options'? > > This patch avoids the need to add options to resolv.conf.
Does Postfix perform its own DNSSEC validation? I suppose not, otherwise you would not need the AD bit. The intent of this change in glibc was that NetworkManager (or whatever generates /etc/resolv.conf) figures out whether the configured resolver performs DNSSEC validation and can be trusted to set the AD bit accordingly. If you patch Postfix to add back the flag unconditionally, disregarding the name server trust status, then maybe handling the AD bit in this way was not such a good idea after all.
