* Wietse Venema: > Florian Weimer: >> > My patch does not make security any worse than it was prior to >> > GLIBC 2.31. This is all I can do for stable Postfix releases: >> > ensure that shit does not stop working after an OS update. >> > >> > Any 'improvements' in Postfix DNSSEC support will have to be developed >> > in the Postfix 3.6 release cycle. The results from those 'improvements' >> > will never be merged back into Postfix 3.5 and earlier. >> >> I'm trying to understand why you were trusting the AD bit. Is it > > Because Postfix DANE support requires a trusted resolver that returns > the AD after successful DNSSEC validation. We have documentation that > recommends using a local resolver. However, if people want to shoot > themselves in the foot, then Postfix won't stop them. > > By unconditionally setting the AD bit in a DNS query, we avoid a > breaking change, and we are not making things worse than they were > with glibc 2.19. If Postfix stable release behavior is a gaping > security hole, pLEASE SAY SO.
I don't think it's a gaping security hole. The scope of the flags change in dns_query is really small, so it affects that one query only. If some library used by Postfix depends on RES_TRUSTAD in its intended meaning, it will not be impacted.
