On Sun, Mar 20, 2022 at 08:35:48PM +0100, Christian Eyrich via Exim-users wrote:
> my exim installation is failing when I try forcing DNSSEC for DANE using
> "dnssec_require_domains" for any domain.
>
> dnslookup_secure router: defer for dnssectest1@???
> message: host lookup done insecurely
> chris@momos:~$ unbound-host -vDr mailbox.org
> mailbox.org has address 80.241.60.194 (secure)
> [...]
Even if the local (unbound) resolver performs DNSSEC validation and
signals a secure result via the "AD" bit in the DNS reply, a
sufficiently recent "glibc" will suppress the AD bit unless
/etc/resolv.conf sets "trust-ad" resolver option:
https://github.com/NLnetLabs/dnssec-trigger/issues/5#issuecomment-799847737
The most likely problem is that this is not set in your
/etc/resolv.conf file.
Note that you should not trust the "AD" bit from *remote* nameservers
whose replies to your libc stub resolver traverse insecure networks.
In practice this means that /etc/resolv.conf MUST ONLY contain the
127.0.0.1 and/or ::1 nameserver addresses.
--
Viktor.
