diff options
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 26 | ||||
| -rw-r--r-- | src/src/dns.c | 2 |
2 files changed, 27 insertions, 1 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 0f46896e9..c54437181 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -8120,7 +8120,7 @@ daemon as in the other SQL databases. .new .oindex &%sqlite_dbfile%& -The preferred way of specifying the file is by using the +The preferred way of specifying the file is by using the &%sqlite_dbfile%& option, set to an absolute path. .wen @@ -13290,6 +13290,18 @@ library, by setting: dns_dnssec_ok = 1 .endd +.new +In addition, on Linux with glibc 2.31 or newer the resolver library will +default to stripping out a successful validation status. +This will break a previously working Exim installation. +Provided that you do trust the resolver (ie, is on localhost) you can tell +glibc to pass through any successful validation with a new option in +&_/etc/resolv.conf_&: +.code +options trust-ad +.endd +.wen + Exim does not perform DNSSEC validation itself, instead leaving that to a validating resolver (e.g. unbound, or bind with suitable configuration). @@ -15418,6 +15430,18 @@ default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on. If the resolver library does not support DNSSEC then this option has no effect. +.new +On Linux with glibc 2.31 or newer this is insufficient, the resolver library +will default to stripping out a successful validation status. +This will break a previously working Exim installation. +Provided that you do trust the resolver (ie, is on localhost) you can tell +glibc to pass through any successful validation with a new option in +&_/etc/resolv.conf_&: +.code +options trust-ad +.endd +.wen + .option dns_ipv4_lookup main "domain list&!!" unset .cindex "IPv6" "DNS lookup for AAAA records" diff --git a/src/src/dns.c b/src/src/dns.c index d036162cb..e13aa74e2 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -501,6 +501,8 @@ const uschar * auth_name; const uschar * trusted; if (dnsa->answerlen < 0) return FALSE; +/* Beware that newer versions of glibc on Linux will filter out the ad bit +unless their shiny new RES_TRUSTAD bit is set for the resolver. */ if (h->ad) return TRUE; /* If the resolver we ask is authoritative for the domain in question, it may |