Florian Weimer:
> * Wietse Venema:
>
> > Vladimir Lomov:
> >> I'm a bit bewildered. Does this mean that all is Ok with glibc 2.31 with
> >> 'options trust-ad' and postfix 3.5.0 or it is depend strongly on used
> >> 'options'?
> >
> > This patch avoids the need to add options to resolv.conf.
>
> Does Postfix perform its own DNSSEC validation? I suppose not,
> otherwise you would not need the AD bit.
Correct. Until now, Postfix asserts RES_USE_DNSSEC to request
validation in a resolver. Postfix then uses the ad bit to trust
that information is authentic. The sysadmin has responsibility
to ensure that (the path to) their resolver is secure.
> The intent of this change in glibc was that NetworkManager (or
> whatever generates /etc/resolv.conf) figures out whether the
> configured resolver performs DNSSEC validation and can be trusted to
> set the AD bit accordingly.
> If you patch Postfix to add back the flag unconditionally,
> disregarding the name server trust status, then maybe handling the AD
> bit in this way was not such a good idea after all.
My patch does not make security any worse than it was prior to
GLIBC 2.31. This is all I can do for stable Postfix releases:
ensure that shit does not stop working after an OS update.
Any 'improvements' in Postfix DNSSEC support will have to be developed
in the Postfix 3.6 release cycle. The results from those 'improvements'
will never be merged back into Postfix 3.5 and earlier.
Wietse
