Florian Weimer:
> > My patch does not make security any worse than it was prior to
> > GLIBC 2.31. This is all I can do for stable Postfix releases:
> > ensure that shit does not stop working after an OS update.
> >
> > Any 'improvements' in Postfix DNSSEC support will have to be developed
> > in the Postfix 3.6 release cycle. The results from those 'improvements'
> > will never be merged back into Postfix 3.5 and earlier.
>
> I'm trying to understand why you were trusting the AD bit. Is it
Because Postfix DANE support requires a trusted resolver that returns
the AD after successful DNSSEC validation. We have documentation that
recommends using a local resolver. However, if people want to shoot
themselves in the foot, then Postfix won't stop them.
By unconditionally setting the AD bit in a DNS query, we avoid a
breaking change, and we are not making things worse than they were
with glibc 2.19. If Postfix stable release behavior is a gaping
security hole, pLEASE SAY SO.
Best practices evolve and security can always be improved, but such
incremental improvements belong in an UNSTABLE release, not in a
STABLE release, because improvements often introduce incompatibility.
Wietse
