diff options
author | Phil Pennock <pdp@exim.org> | 2020-04-21 18:59:15 -0400 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2020-04-21 18:59:15 -0400 |
commit | dce58c04af4439fec7269f83886e22b503756a8f (patch) | |
tree | 306a28dd1fea27591f0f4deb19e2e408ed7946b1 /test/mail/5005.nofile | |
parent | 47aaa9d6df68458c03a9fa65c6f2fd2bdee898f9 (diff) |
stop-gap: doc glibc 2.31 RES_TRUSTAD/trust-ad
In glibc from release 2.31 onwards (change added in their commit
446997ff14) setting `dns_dnssec_ok` will not be sufficient. glibc has
added a new `options trust-ad` toggle for `/etc/resolv.conf` and a C
macro `RES_TRUSTAD`.
This will break existing deployments and binaries.
Our current mechanism for enabling DNSSEC is with an option named to
closely match the DNS feature required, so it is probably inappropriate
to tinker with a second option there. Instead we probably need a new
meta-option for the concept of DNSSEC, add the second new flag there,
and move `dns_dnssec_ok` to a legacy deprecated option.
That will only work if the machine Exim is built on has the new C macro,
but will need to be conditional upon that macro being defined, so
binaries built aren't going to be forward-compatible to other systems
with newer glibc. There is no good solution to solve this.
In the meantime, document the issue and point administrators at how to
work around the issue with a setting in `/etc/resolv.conf`
Thanks to Viktor Dukhovni for highlighting the existence of this
problem.
Diffstat (limited to 'test/mail/5005.nofile')
0 files changed, 0 insertions, 0 deletions