Am 20.03.2022 um 22:28 schrieb Viktor Dukhovni via Exim-users:
> Even if the local (unbound) resolver performs DNSSEC validation and
> signals a secure result via the "AD" bit in the DNS reply, a
> sufficiently recent "glibc" will suppress the AD bit unless
> /etc/resolv.conf sets "trust-ad" resolver option:
>
> https://github.com/NLnetLabs/dnssec-trigger/issues/5#issuecomment-799847737
>
> The most likely problem is that this is not set in your
> /etc/resolv.conf file.
You nailed it, Viktor. It’s working now. Thank you very much.
And now I know that I was right that it worked in the past and why:
Debian Buster used glibc 2.28.
> Note that you should not trust the "AD" bit from *remote* nameservers
> whose replies to your libc stub resolver traverse insecure networks.
> In practice this means that /etc/resolv.conf MUST ONLY contain the
> 127.0.0.1 and/or ::1 nameserver addresses.
That’s no problem. My local unbound does do all the DNS resolution on
its own and 127.0.0.1 is the only entry in resolv.conf
Best regards,
Christian
