On Tue, Aug 24, 2021 at 04:24:30PM +0200, Bastien Durel wrote:
> Hello,
>
> Since I upgraded to debian 11 (postfix 3.5.6, was 3.4.14), my cluster
> fails inter-node deliveries.
You probably need to set the "trust AD" option in /etc/resolv.conf
https://man7.org/linux/man-pages/man5/resolv.conf.5.html
trust-ad (since glibc 2.31)
Sets RES_TRUSTAD in _res.options. This option
controls the AD bit behavior of the stub resolver.
If a validating resolver sets the AD bit in a
response, it indicates that the data in the
response was verified according to the DNSSEC
protocol. In order to rely on the AD bit, the
local system has to trust both the DNSSEC-
validating resolver and the network path to it,
which is why an explicit opt-in is required. If
the trust-ad option is active, the stub resolver
sets the AD bit in outgoing DNS queries (to enable
AD bit support), and preserves the AD bit in
responses. Without this option, the AD bit is not
set in queries, and it is always removed from
responses before they are returned to the
application. This means that applications can
trust the AD bit in responses if the trust-ad
option has been set correctly.
--
VIktor.
