Florian Weimer:
> If the administrator has enabled DANE, you could check whether
> RES_TRUSTAD is enabled, and if not, complain loudly that the
> configured name servers are not marked as trusted (and may not even
> support DNSSEC validation). This why we expose the RES_TRUSTAD flag
> via _res.options: not overwrite it, but to detect this situation.
>
> Maybe that's an approach that a future Postfix version could take?
Possibly, but rest assured that all such features will remain disabled
by default for at least one year after there is wide deployment of
code that manages the new resolv.conf flag, and there is a documented
record of the new failure modes that come with this.
Wietse
