Viktor Dukhovni: > On Tue, Aug 24, 2021 at 11:32:01AM -0400, Wietse Venema wrote: > > > > You probably need to set the "trust AD" option in /etc/resolv.conf > > > > Postfix 3.6 has this comment in dns_lookup.c: > > ... > > Plus some plumbing in dns.h. > > > > Should we back-port this to the earlier stable releases, or would > > they still need to set options in resolv.conf? > > The OP has Postfix 3.5. I guess Debian switched to a newer glibc and > cut an OS release with Postfix 3.5 prior to the release of Postfix 3.6. > > So perhaps a backport to Postfix 3.5 would be helpful, assuming that > Debian picks up the patch (Scott Kitterman et. al. might be able to > comment on whether that's likely). > > With the backport the "resolv.conf" option would not be needed. And > of course it should only be set if all the listed resolvers are local.
I'll start adding RES_TRUSTAD support to the 3.3-3.5 stable releases. It will combine nicely with the OpenSSL 3.x bitrot patch. > Oh, and best to avoid systemd-resolved until it grows up and becomes > a usable validating resolver. Until then, use unbound or similar. resolv.conf is not part of Postfix, so we can only make recommendations for resolvers to use and avoid. Wietse