* Wietse Venema: > Florian Weimer: >> * Rich Felker: >> >> > A solution that would work with existing and future versions of musl >> > as well as glibc, and would (I think) avoid the need to poke at _res >> > to set the glibc trustad flag, would be replacing the call to >> > res_query with res_mkquery, |='ing the AD bit into place, then >> > res_send. >> >> This will not give the result that Postfix programmers want on newer >> glibc versions (not without the trust-ad flag in /etc/resolv.conf). > > The problem with using low-level res_*mkquery() is that Postfix > would have to re-implement all the high-level res_search() features > such as RES_DEFNAMES, RES_DNSRCH, retries over TCP after receiving > a truncated response, and so on.
I don't think this is actually an issue: TCP fallback is still performed with res_send. If you care about DNSSEC validation, you cannot really use search list processing anyway because you might not get back the name you wanted after an unauthenticated query failure, so the lack thereof with res_send actually avoids the cumbersome flags manipulation. Anyway, lack of TCP fallback in the musl stub resolver will break a lot of mail-related things anyway. Most people probably want to use DANE in conjunction with SPF and DKIM, and some TXT queries (as used with SPF) absolutely do require TCP fallback to succeed. So yes, people who want to use musl need to get their stub resolver from somewhere else.
