Am 16.09.2014 um 00:55 schrieb Stuart Henderson: > On 2014-09-15, Marco Prause <marco-obsdm...@prause.eu> wrote: >> Looking at lib/libc/net/res_query.c > > Try libc/asr/res_query.c ..
Thanks for the hint - I'd have a look at, but sadly it doesn't help me understanding, what's going on. Having a look at postfix-src I found a notice at /usr/ports/distfiles/postfix/postfix-2.11.0/srcdns/dns_lookup.c that says ... /* .IP RES_USE_DNSSEC /* Request DNSSEC validation. This flag is silently ignored /* when the system stub resolver API, resolver(3), does not /* implement DNSSEC. ... so far so good, but man resolver 3 looks also good to me : ... RES_USE_EDNS0 Attach an OPT pseudo-RR for the EDNS0 extension, as specified in RFC 2671. This informs DNS servers of a client's receive buffer size, allowing them to take advantage of a non-default receive buffer size, and thus to send larger replies. DNS query packets with the EDNS0 extension are not compatible with non-EDNS0 DNS servers. RES_USE_DNSSEC Request that the resolver uses Domain Name System Security Extensions (DNSSEC), as defined in RFCs 4033, 4034, and 4035. ... in include/resolv.h I also find global definitions for both : ... #define RES_USE_EDNS0 0x40000000 /* use EDNS0 */ /* DNSSEC extensions: use higher bit to avoid conflict with ISC use */ #define RES_USE_DNSSEC 0x20000000 /* use DNSSEC using OK bit in OPT */ ... but I can't see it anywhere beeing used at the query-parts at getrrsetbyname.c, res_mkquery.c, res_query.c - they are mentioned only at the responses, but in my opinion the DO-bit also have to be set in the query, to signal the usage of DNSSEC and this is, what I didn't see sniffing on the outgoing interface. Regards, Marco