Viktor Dukhovni:
> On Tue, Aug 24, 2021 at 04:24:30PM +0200, Bastien Durel wrote:
> > Hello,
> >
> > Since I upgraded to debian 11 (postfix 3.5.6, was 3.4.14), my cluster
> > fails inter-node deliveries.
>
> You probably need to set the "trust AD" option in /etc/resolv.conf
Postfix 3.6 has this comment in dns_lookup.c:
/* .IP RES_USE_DNSSEC
/* Request DNSSEC validation. This flag is silently ignored
/* when the system stub resolver API, resolver(3), does not
/* implement DNSSEC.
/* Automatically turns on the RES_TRUSTAD flag on systems that
/* support this flag (this behavior will be more configurable
/* in a later release).
and this code:
/*
* Set extra options that aren't exposed to the application.
*/
#define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD)
if (DNS_WANT_DNSSEC_VALIDATION(flags))
flags |= (RES_USE_EDNS0 | RES_TRUSTAD);
Plus some plumbing in dns.h.
Should we back-port this to the earlier stable releases, or would
they still need to set options in resolv.conf?
Wietse
