[exim] Follow-Up: options trust-ad

Pàgina inicial
Delete this message
Reply to this message
Autor: Wolfgang
Data:  
A: exim-users
Assumpte: [exim] Follow-Up: options trust-ad
Hi,

I just updated the github wiki page

The text was:
**If**, and _only_ if, the DNS resolver does not validate by default, then you need to ensure that your queries are marked as requiring DNSSEC.
On some platforms, this can be done with an option in `/etc/resolv.conf` but in all cases, in Exim's _main_ configuration section, you can add the directive:

Now it looks like:
If you are using a system, system, with **glibc 2.31** or newer, which was released back to 2020, you **MUST** add the following line into your _resolv.conf_,
and make sure, that it persists: `options trust-ad` See man resolv.conf for details.
Without this setting glibc drops the ad-bit from your authoritative nameserver and exim is therefore unable, to establish DANE secured connections.
For other non-glibc based systems, check your documentation, if there are similar needs.
In all cases, in Exim's _main_ configuration section, you can add the directive:

I did some research, why my DANE worked, when I was setting it up initially, and figure out, that
the need for this option was introduced with glibc v2.31 2020-02-01; and possibly a bit later
in several distributions.

In the main configuration there is already a similar wording in the description of "dns_dnssec_ok",
so this seems perfect.

Regards

Wolfgang


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/