Viktor Dukhovni:
> On Tue, Aug 24, 2021 at 11:32:01AM -0400, Wietse Venema wrote:
>
> > > You probably need to set the "trust AD" option in /etc/resolv.conf
> >
> > Postfix 3.6 has this comment in dns_lookup.c:
> > ...
> > Plus some plumbing in dns.h.
> >
> > Should we back-port this to the earlier stable releases, or would
> > they still need to set options in resolv.conf?
>
> The OP has Postfix 3.5. I guess Debian switched to a newer glibc and
> cut an OS release with Postfix 3.5 prior to the release of Postfix 3.6.
>
> So perhaps a backport to Postfix 3.5 would be helpful, assuming that
> Debian picks up the patch (Scott Kitterman et. al. might be able to
> comment on whether that's likely).
>
> With the backport the "resolv.conf" option would not be needed. And
> of course it should only be set if all the listed resolvers are local.
I'll start adding RES_TRUSTAD support to the 3.3-3.5 stable releases.
It will combine nicely with the OpenSSL 3.x bitrot patch.
> Oh, and best to avoid systemd-resolved until it grows up and becomes
> a usable validating resolver. Until then, use unbound or similar.
resolv.conf is not part of Postfix, so we can only make recommendations
for resolvers to use and avoid.
Wietse
