Am 20.03.2022 um 22:28 schrieb Viktor Dukhovni via Exim-users:
Even if the local (unbound) resolver performs DNSSEC validation and
signals a secure result via the "AD" bit in the DNS reply, a
sufficiently recent "glibc" will suppress the AD bit unless
/etc/resolv.conf sets "trust-ad" resolver option:
https://github.com/NLnetLabs/dnssec-trigger/issues/5#issuecomment-799847737
The most likely problem is that this is not set in your
/etc/resolv.conf file.
You nailed it, Viktor. It’s working now. Thank you very much.And now I know that I was right that it worked in the past and why: Debian Buster used glibc 2.28.
Note that you should not trust the "AD" bit from *remote* nameservers whose replies to your libc stub resolver traverse insecure networks. In practice this means that /etc/resolv.conf MUST ONLY contain the 127.0.0.1 and/or ::1 nameserver addresses.
That’s no problem. My local unbound does do all the DNS resolution on its own and 127.0.0.1 is the only entry in resolv.conf
Best regards, Christian
OpenPGP_0xC37B23FE39081C53.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
