Florian Weimer:
> * Wietse Venema:
>
> > Florian Weimer:
> >> * Rich Felker:
> >>
> >> > A solution that would work with existing and future versions of musl
> >> > as well as glibc, and would (I think) avoid the need to poke at _res
> >> > to set the glibc trustad flag, would be replacing the call to
> >> > res_query with res_mkquery, |='ing the AD bit into place, then
> >> > res_send.
> >>
> >> This will not give the result that Postfix programmers want on newer
> >> glibc versions (not without the trust-ad flag in /etc/resolv.conf).
> >
> > The problem with using low-level res_*mkquery() is that Postfix
> > would have to re-implement all the high-level res_search() features
> > such as RES_DEFNAMES, RES_DNSRCH, retries over TCP after receiving
> > a truncated response, and so on.
>
> I don't think this is actually an issue: TCP fallback is still
> performed with res_send. If you care about DNSSEC validation, you
> cannot really use search list processing anyway because you might not
> get back the name you wanted after an unauthenticated query failure,
> so the lack thereof with res_send actually avoids the cumbersome flags
> manipulation.
Fine, so res_*send() does retry.
As for RES_DEFNAMES and RES_DNSRCH, these might be needed for lookups
other than DNSSEC, so I can't simply drop support for them.
> Anyway, lack of TCP fallback in the musl stub resolver will break a
> lot of mail-related things anyway. Most people probably want to use
> DANE in conjunction with SPF and DKIM, and some TXT queries (as used
> with SPF) absolutely do require TCP fallback to succeed. So yes,
> people who want to use musl need to get their stub resolver from
> somewhere else.
Wietse
