On Mon, May 18, 2020 at 09:37:36PM -0400, Rich Felker wrote:
> > Mostly dig, unbound-host, ... Most of the platform C libraries support
> > DO=1, which obviates the need for AD=1, so they don't do that, but it is
> > nevertheless safe. AD=1 is much cheaper than DO=1, because you get back
> > just the AD bit without the excess RRSIG baggage, which is not needed
> > when you're not doing your own validation.
>
> I have a proposed solution expected to go upstream in this release
> cycle: res_* set AD bit unconditionally in outgoing queries, but the
> [backend for the] netdb.h functions clears it after calling
> __res_mkquery.
>
> This ensures that even if there are some broken nameservers/networks
> still that can't handle AD in queries, the standard, widely-used,
> high-level lookup APIs will still work, and at worst res_query breaks.
>
> Note that the netdb.h functions have no use for the AD bit and no way
> to pass it back to the caller, so there is no reduction in
> functionality by having them clear it.
This sounds reasonable. Will there be a way for Postfix to detect the
new library version, so that we don't disable DANE for musl-libc
versions that do set the AD bit?
--
Viktor.
