Postfix outgoing DANE incompatible with musl
Original thread here: https://marc.info/?l=postfix-users&m=158670132004643&w=2
Postfix needs the resolver library to send a query with the AD bit set, which musl does not yet do because it's not clear if it would result in compatibility problems with legacy/broken nameservers, and making it configurable is a pain. If the outgoing AD bit is not set, the response will not indicate whether the result was in a signed zone (even if the nameserver does support DNSSEC) and will appear as if it was not, so DANE will be ignored.
I'm working on determining how this can be fixed upstream, but a simple workaround on the Postfix side would be replacing the
res_query call with
res_mkquery, followed by setting the AD bit manually in the query message buffer and calling
res_send. This is like a trivial two-line patch, I think.
Postfix upstream is pretty grumpy about the situation and may also have introduced "blah blah musl is broken" warnings in the build or such, so we should probably check that nothing's broken by that.