On Tue, Aug 24, 2021 at 11:32:01AM -0400, Wietse Venema wrote:
> > You probably need to set the "trust AD" option in /etc/resolv.conf
>
> Postfix 3.6 has this comment in dns_lookup.c:
>
> /* .IP RES_USE_DNSSEC
> /* Request DNSSEC validation. This flag is silently ignored
> /* when the system stub resolver API, resolver(3), does not
> /* implement DNSSEC.
> /* Automatically turns on the RES_TRUSTAD flag on systems that
> /* support this flag (this behavior will be more configurable
> /* in a later release).
>
> and this code:
>
> /*
> * Set extra options that aren't exposed to the application.
> */
> #define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD)
>
> if (DNS_WANT_DNSSEC_VALIDATION(flags))
> flags |= (RES_USE_EDNS0 | RES_TRUSTAD);
>
> Plus some plumbing in dns.h.
>
> Should we back-port this to the earlier stable releases, or would
> they still need to set options in resolv.conf?
The OP has Postfix 3.5. I guess Debian switched to a newer glibc and
cut an OS release with Postfix 3.5 prior to the release of Postfix 3.6.
So perhaps a backport to Postfix 3.5 would be helpful, assuming that
Debian picks up the patch (Scott Kitterman et. al. might be able to
comment on whether that's likely).
With the backport the "resolv.conf" option would not be needed. And
of course it should only be set if all the listed resolvers are local.
Oh, and best to avoid systemd-resolved until it grows up and becomes
a usable validating resolver. Until then, use unbound or similar.
--
Viktor.
