Re: [exim] Upcoming Glibc changes and DANE support in Exim, …

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Exim Users
CC: Viktor Dukhovni
New-Topics: Re: [exim] Upcoming Glibc changes and DANE support in Exim, Postfix, and perhaps other MTAs
Subject: Re: [exim] Upcoming Glibc changes and DANE support in Exim, Postfix, and perhaps other MTAs
On 2020-04-16 at 16:00 -0400, Viktor Dukhovni via Exim-users wrote:
> On Thu, Apr 16, 2020 at 07:53:08PM +0100, Jeremy Harris via Exim-users wrote:
> > On 15/04/2020 18:46, Viktor Dukhovni via Exim-users wrote:
> > > I read this to mean that the new "trust-ad" option, if set, causes the
> > > Glibc stub resolver to set AD=1 in queries, but *otherwise*, causes it
> > > to strip the AD bit from replies.


Thanks for this notice, I picked it up from another mailing-list you
posted it to.

> FWIW, Wietse's fix for existing stable Postfix releases is to just set
> "RES_TRUSTAD" along with the previous "RES_USE_EDNS0" when the calling
> code is requesting RES_USE_DNSSEC. This restores prior semantics.
> More fine-grained policy about when to set or not set RES_TRUSTAD will
> be in tested in the development snapshots over the next year and be
> part of 3.6 early in 2021.


Unfortunately we (I) named the relevant option `dns_dnssec_ok` to
closely match setting the DNSSEC OK (`DO`) bit, which was clear and
precise and ... means adding the option in Exim there will have a
side-effect of doing more than the administrator asked for. It's 99%
likely to be the right thing to do, but I suspect we're going to need to
suck it up and change the option name and deprecate the current option.

(Otherwise I'd have already just coded up independently the exact same
fix you have used for Postfix)

This also though means that _building_ an Exim binary has to be done on
the system with the newer glibc, because binaries can't be forward
compatible. We need `RES_TRUSTAD` to be defined.

In the meantime, I've documented in dce58c04af that the problem exists
and pointed administrators at how to configure `resolv.conf`.
Unfortunately, the same OS family which needs this is the one which is
mostly likely to make `/etc/resolv.conf` be a symlink which gets stomped
upon with Yet Another Manager controlling the stomping every four or so
years. So that's not the most postmaster-friendly of solutions.

https://git.exim.org/exim.git/commitdiff/dce58c04af4439fec7269f83886e22b503756a8f

This is going to be one of those days where I regret a career using some
of these computer thingies.

-Phil