On Sun, Mar 20, 2022 at 08:35:48PM +0100, Christian Eyrich via Exim-users wrote:
> my exim installation is failing when I try forcing DNSSEC for DANE using > "dnssec_require_domains" for any domain. > > dnslookup_secure router: defer for dnssecte...@mailbox.org > message: host lookup done insecurely > chris@momos:~$ unbound-host -vDr mailbox.org > mailbox.org has address 80.241.60.194 (secure) > [...] Even if the local (unbound) resolver performs DNSSEC validation and signals a secure result via the "AD" bit in the DNS reply, a sufficiently recent "glibc" will suppress the AD bit unless /etc/resolv.conf sets "trust-ad" resolver option: https://github.com/NLnetLabs/dnssec-trigger/issues/5#issuecomment-799847737 The most likely problem is that this is not set in your /etc/resolv.conf file. Note that you should not trust the "AD" bit from *remote* nameservers whose replies to your libc stub resolver traverse insecure networks. In practice this means that /etc/resolv.conf MUST ONLY contain the 127.0.0.1 and/or ::1 nameserver addresses. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/