diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2015-06-20 15:20:54 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2015-06-20 15:20:54 +0100 |
| commit | 09b80b4efb12380da54d64608fd0c1a37733c598 (patch) | |
| tree | 389a4bb54adcc83831a89745019c1a6a2618ba1c /doc | |
| parent | 9820a77f50ca1e33e8a0192ebd9cc11672b1f8e0 (diff) | |
Add docs and massage coding standards for dns_trust_aa
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 21 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 3 |
2 files changed, 24 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 09ce793b0..fefc8e3f3 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11745,6 +11745,9 @@ a dnsdb lookup expansion, dnslookup router or smtp transport. It will be empty if &(DNSSEC)& was not requested, &"no"& if the result was not labelled as authenticated data and &"yes"& if it was. +Results that are labelled as authoritive answer that match +the $%dns_trust_aa%& configuration variable count also +as authenticated data. .vitem &$mailstore_basename$& .vindex "&$mailstore_basename$&" @@ -13586,6 +13589,7 @@ See also the &'Policy controls'& section above. .row &%dns_ipv4_lookup%& "only v4 lookup for these domains" .row &%dns_retrans%& "parameter for resolver" .row &%dns_retry%& "parameter for resolver" +.row &%dns_trust_aa%& "nameservers trusted as authentic" .row &%dns_use_edns0%& "parameter for resolver" .row &%hold_domains%& "hold delivery for these domains" .row &%local_interfaces%& "for routing checks" @@ -14283,6 +14287,23 @@ See also the &%slow_lookup_log%& option. See &%dns_retrans%& above. +.option dns_trust_aa main domain list&!! unset +.cindex "DNS" "resolver options" +.cindex "DNS" "DNSSEC" +If this option is set then lookup results marked with an AA bit +(Authoratative Answer) are trusted when they come from one +of the listed domains, as if they were marked as having been +DNSSEC-verified. + +Use this option only if you talk directly to the resolver +for your local domains, and list only it. +It is needed when the resolver does not return an AD bit +for its local domains. +The first SOA or NS record appearing in the results is compared +against the option value. + + +.cindex "DNS" "resolver options" .option dns_use_edns0 main integer -1 .cindex "DNS" "resolver options" .cindex "DNS" "EDNS0" diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 3c58b42ef..a0002b620 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -40,6 +40,9 @@ Version 4.86 13. Main option "tls_eccurve" for selecting an Elliptic Curve for TLS. Patch originally by Wolfgang Breyha. +14. Main option "dns_trust_aa" for trusting your local nameserver at the + same level as DNSSEC. + Version 4.85 ------------ |