* Wietse Venema: > Florian Weimer: >> * Wietse Venema: >> >> > Florian Weimer: >> >> * Rich Felker: >> >> >> >> > A solution that would work with existing and future versions of musl >> >> > as well as glibc, and would (I think) avoid the need to poke at _res >> >> > to set the glibc trustad flag, would be replacing the call to >> >> > res_query with res_mkquery, |='ing the AD bit into place, then >> >> > res_send. >> >> >> >> This will not give the result that Postfix programmers want on newer >> >> glibc versions (not without the trust-ad flag in /etc/resolv.conf). >> > >> > The problem with using low-level res_*mkquery() is that Postfix >> > would have to re-implement all the high-level res_search() features >> > such as RES_DEFNAMES, RES_DNSRCH, retries over TCP after receiving >> > a truncated response, and so on. >> >> I don't think this is actually an issue: TCP fallback is still >> performed with res_send. If you care about DNSSEC validation, you >> cannot really use search list processing anyway because you might not >> get back the name you wanted after an unauthenticated query failure, >> so the lack thereof with res_send actually avoids the cumbersome flags >> manipulation. > > Fine, so res_*send() does retry. > > As for RES_DEFNAMES and RES_DNSRCH, these might be needed for lookups > other than DNSSEC, so I can't simply drop support for them.
I think the way you manipulate the flags essentially turns res_search into res_query, so why not call res_query directly? (I think I've mentioned that before; sorry if it was considered and rejected.)