Author: Jeremy Harris Date: To: exim-users Subject: Re: [exim] Upcoming Glibc changes and DANE support in Exim, Postfix,
and perhaps other MTAs
On 15/04/2020 18:46, Viktor Dukhovni via Exim-users wrote: > I read this to mean that the new "trust-ad" option, if set, causes the
> Glibc stub resolver to set AD=1 in queries, but *otherwise*, causes it
> to strip the AD bit from replies.
So much for back-compatibility, eh? They broke it for all existing
consumers of DNSSEC?
> I don't yet have access to systems with this recent a Glibc to confirm
> the above, but this is likely relevant to Exim administrators who enable
> DANE. Once you upgrade to Glibc 2.31 or higher, you'll need to explicitly
> add the "trust-ad" option to your /etc/resolv.conf, while of course also
> making sure that all the listed nameservers are local (loopback interface).
While wise to have an on-system caching resolver on performance grounds,
for any mail volume beyond trivial - isn't that a rather tight
restriction? Why should you not trust other systems which are
under your administrative control (assuming your threat model doesn't
extend to in-organisation attacks)?
