On Fri, Apr 17, 2020 at 10:17:47PM +0200, Florian Weimer wrote:
> > With the Glibc change as the first step, we have no choice but to
> > restore the status quo ante.
>
> True, but there are different approaches.
>
> If the administrator has enabled DANE, you could check whether
> RES_TRUSTAD is enabled, and if not, complain loudly that the
> configured name servers are not marked as trusted (and may not even
> support DNSSEC validation). This why we expose the RES_TRUSTAD flag
> via _res.options: not overwrite it, but to detect this situation.
>
> Maybe that's an approach that a future Postfix version could take?
If you'll look in the original thread that got us here, you'll see a
tentative patch I posted that does precisely that, but it is too much
for the stable releases. In 3.6 we can explore such options.
--
Viktor.
