Viktor Dukhovni:
> On Tue, Aug 24, 2021 at 11:32:01AM -0400, Wietse Venema wrote:
> 
> > > You probably need to set the "trust AD" option in /etc/resolv.conf
> > 
> > Postfix 3.6 has this comment in dns_lookup.c:
> > ...
> > Plus some plumbing in dns.h.
> > 
> > Should we back-port this to the earlier stable releases, or would
> > they still need to set options in resolv.conf?
> 
> The OP has Postfix 3.5.  I guess Debian switched to a newer glibc and
> cut an OS release with Postfix 3.5 prior to the release of Postfix 3.6.
> 
> So perhaps a backport to Postfix 3.5 would be helpful, assuming that
> Debian picks up the patch (Scott Kitterman et. al. might be able to
> comment on whether that's likely).
> 
> With the backport the "resolv.conf" option would not be needed.  And
> of course it should only be set if all the listed resolvers are local.

I'll start adding RES_TRUSTAD support to the 3.3-3.5 stable releases.
It will combine nicely with the OpenSSL 3.x bitrot patch.

> Oh, and best to avoid systemd-resolved until it grows up and becomes
> a usable validating resolver.  Until then, use unbound or similar.

resolv.conf is not part of Postfix, so we can only make recommendations
for resolvers to use and avoid.

        Wietse

Reply via email to