diff --git a/postfix/HISTORY b/postfix/HISTORY
index e9c8bfa12..1bbaaf430 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -22186,3 +22186,10 @@ Apologies for any names omitted.
complicating troubleshooting. The fix is to log additional
context to clarify that this "no match" condition is for
smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.
+
+20150709
+
+ Cleanup: un-break some DNS unit tests by replacing non-portable
+ numerical flags with portable symbolic names in the verbose
+ command output. Files: dns/dns_str_resflags.c, dns/dns_lookup.c,
+ dns/Makefile.in, many *.ref files.
diff --git a/postfix/RELEASE_NOTES-3.1 b/postfix/RELEASE_NOTES-3.1
index 5a5eed240..aa2fbf257 100644
--- a/postfix/RELEASE_NOTES-3.1
+++ b/postfix/RELEASE_NOTES-3.1
@@ -14,6 +14,7 @@ The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0
+before proceeding.
Major changes - address verification safety
-------------------------------------------
@@ -127,9 +128,6 @@ with a corresponding "smtpd_policy_service_policy_context" configuration
parameter. Originally, this was implemented to share the same SMTPD
policy service endpoint among multiple check_policy_service clients.
-Incompatible change with Postfix snapshot 20150721
-==================================================
-
Major changes - tls
-------------------
@@ -146,15 +144,6 @@ existence of a secure TLSA record implies that the host wants to
talk TLS and not plaintext. For details see the
smtp_tls_dane_insecure_mx_policy configuration parameter.
-[Incompat 20150719] The default Diffie-Hellman non-export prime was
-updated from 1024 to 2048 bits, because SMTP clients are starting
-to reject TLS handshakes with primes smaller than 2048 bits.
-
-Historically, this prime size is not negotiable, and each site needs
-to determine which prime size works best for the majority of its
-clients. See FORWARD_SECRECY_README for some hints in the quick-start
-section.
-
[Incompat 20150721] As of the middle of 2015, all supported Postfix
releases no longer enable "export" grade ciphers for opportunistic
TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for
@@ -186,3 +175,12 @@ selective, use "-o name=value" parameter overrides on specific
services in master.cf. Execute the command "postfix reload" to make
the changes effective.
+[Incompat 20150719] The default Diffie-Hellman non-export prime was
+updated from 1024 to 2048 bits, because SMTP clients are starting
+to reject TLS handshakes with primes smaller than 2048 bits.
+
+Historically, this prime size is not negotiable, and each site needs
+to determine which prime size works best for the majority of its
+clients. See FORWARD_SECRECY_README for some hints in the quick-start
+section.
+
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index d1e40fa68..bf116d65f 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -8,6 +8,9 @@ Wish list:
Fix "make test" bitrot.
+ Document dns_ncache_ttl_fix_enable use case in POSTSCREEN_README
+ and RELEASE_NOTES.
+
Remove this file from the stable release.
Things to do after the stable release:
diff --git a/postfix/conf/postfix-tls-script b/postfix/conf/postfix-tls-script
index c8e991e59..c43ed10dc 100644
--- a/postfix/conf/postfix-tls-script
+++ b/postfix/conf/postfix-tls-script
@@ -116,12 +116,13 @@
# and certificate). After the new certificate and key are
# deployed any obsolete keys and certificates may be removed
# by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
-# are relative to the Postfix configuration directory.
+# may be relative to the Postfix configuration directory.
# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB...\fR]"
# Write to stdout a certificate signing request (CSR) for the
# specified \fIkeyfile\fR.
# .sp
-# Instead of a filename, \fIkeyfile\fR may specify one of the
+# Instead of an absolute pathname or a pathname relative to
+# $config_directory, \fIkeyfile\fR may specify one of the
# supported key algorithm names (see "\fBpostconf -T
# public-key-algorithms\fR"). In that case, the corresponding
# setting from main.cf is used to locate the \fIkeyfile\fR.
@@ -136,7 +137,8 @@
# the specified \fIkeyfile\fR values. The default \fIhostname\fR
# is the value of the \fBmyhostname\fR main.cf parameter.
# .sp
-# Instead of filenames, the \fIkeyfile\fR list may specify
+# Instead of absolute pathnames or pathnames relative to
+# $config_directory, the \fIkeyfile\fR list may specify
# names of supported public key algorithms (see "\fBpostconf
# -T public-key-algorithms\fR"). In that case, the actual
# \fIkeyfile\fR list uses the values of the corresponding
diff --git a/postfix/html/postfix-tls.1.html b/postfix/html/postfix-tls.1.html
index 520c0bd97..d34989dc9 100644
--- a/postfix/html/postfix-tls.1.html
+++ b/postfix/html/postfix-tls.1.html
@@ -115,31 +115,33 @@ POSTFIX-TLS(1) POSTFIX-TLS(1)
to deploy the generated key and certificate). After the new
certificate and key are deployed any obsolete keys and certifi-
cates may be removed by hand. The keyfile and certfile file-
- names are relative to the Postfix configuration directory.
+ names may be relative to the Postfix configuration directory.
output-server-csr [-k keyfile] [hostname...]
Write to stdout a certificate signing request (CSR) for the
specified keyfile.
- Instead of a filename, keyfile may specify one of the supported
- key algorithm names (see "postconf -T public-key-algorithms").
- In that case, the corresponding setting from main.cf is used to
+ Instead of an absolute pathname or a pathname relative to $con-
+ fig_directory, keyfile may specify one of the supported key
+ algorithm names (see "postconf -T public-key-algorithms"). In
+ that case, the corresponding setting from main.cf is used to
locate the keyfile. The default keyfile value is rsa.
- Zero or more hostname values can be specified. The default
+ Zero or more hostname values can be specified. The default
hostname is the value of myhostname main.cf parameter.
output-server-tlsa [-h hostname] [keyfile...]
- Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP
+ Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP
server on host hostname with keys from any of the specified key-
- file values. The default hostname is the value of the myhost-
+ file values. The default hostname is the value of the myhost-
name main.cf parameter.
- Instead of filenames, the keyfile list may specify names of sup-
- ported public key algorithms (see "postconf -T public-key-algo-
- rithms"). In that case, the actual keyfile list uses the values
- of the corresponding Postfix server TLS key file parameters. If
- a parameter value is empty or equal to none, then no TLSA record
+ Instead of absolute pathnames or pathnames relative to $con-
+ fig_directory, the keyfile list may specify names of supported
+ public key algorithms (see "postconf -T public-key-algorithms").
+ In that case, the actual keyfile list uses the values of the
+ corresponding Postfix server TLS key file parameters. If a
+ parameter value is empty or equal to none, then no TLSA record
is output for that algorithm.
The default keyfile list consists of the two supported algo-
diff --git a/postfix/man/man1/postfix-tls.1 b/postfix/man/man1/postfix-tls.1
index 406be571b..3569f503e 100644
--- a/postfix/man/man1/postfix-tls.1
+++ b/postfix/man/man1/postfix-tls.1
@@ -120,12 +120,13 @@ display the full command needed to deploy the generated key
and certificate). After the new certificate and key are
deployed any obsolete keys and certificates may be removed
by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
-are relative to the Postfix configuration directory.
+may be relative to the Postfix configuration directory.
.IP "\fBoutput\-server\-csr\fR [\fB\-k \fIkeyfile\fR] [\fIhostname\fB...\fR]"
Write to stdout a certificate signing request (CSR) for the
specified \fIkeyfile\fR.
.sp
-Instead of a filename, \fIkeyfile\fR may specify one of the
+Instead of an absolute pathname or a pathname relative to
+$config_directory, \fIkeyfile\fR may specify one of the
supported key algorithm names (see "\fBpostconf \-T
public\-key\-algorithms\fR"). In that case, the corresponding
setting from main.cf is used to locate the \fIkeyfile\fR.
@@ -140,7 +141,8 @@ SMTP server on host \fIhostname\fR with keys from any of
the specified \fIkeyfile\fR values. The default \fIhostname\fR
is the value of the \fBmyhostname\fR main.cf parameter.
.sp
-Instead of filenames, the \fIkeyfile\fR list may specify
+Instead of absolute pathnames or pathnames relative to
+$config_directory, the \fIkeyfile\fR list may specify
names of supported public key algorithms (see "\fBpostconf
\-T public\-key\-algorithms\fR"). In that case, the actual
\fIkeyfile\fR list uses the values of the corresponding
diff --git a/postfix/src/dns/Makefile.in b/postfix/src/dns/Makefile.in
index 8e87a5e50..2046a71c8 100644
--- a/postfix/src/dns/Makefile.in
+++ b/postfix/src/dns/Makefile.in
@@ -1,10 +1,10 @@
SHELL = /bin/sh
SRCS = dns_lookup.c dns_rr.c dns_strerror.c dns_strtype.c dns_rr_to_pa.c \
dns_sa_to_rr.c dns_rr_eq_sa.c dns_rr_to_sa.c dns_strrecord.c \
- dns_rr_filter.c
+ dns_rr_filter.c dns_str_resflags.c
OBJS = dns_lookup.o dns_rr.o dns_strerror.o dns_strtype.o dns_rr_to_pa.o \
dns_sa_to_rr.o dns_rr_eq_sa.o dns_rr_to_sa.o dns_strrecord.o \
- dns_rr_filter.o
+ dns_rr_filter.o dns_str_resflags.o
HDRS = dns.h
TESTSRC = test_dns_lookup.c test_alias_token.c
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
@@ -275,6 +275,8 @@ depend: $(MAKES)
@$(EXPORT) make -f Makefile.in Makefile 1>&2
# do not edit below this line - it is generated by 'make depend'
+dns_lookup.o: dns.h
+dns_lookup.o: dns_lookup.c
dns_lookup.o: ../../include/argv.h
dns_lookup.o: ../../include/check_arg.h
dns_lookup.o: ../../include/dict.h
@@ -291,19 +293,8 @@ dns_lookup.o: ../../include/valid_hostname.h
dns_lookup.o: ../../include/vbuf.h
dns_lookup.o: ../../include/vstream.h
dns_lookup.o: ../../include/vstring.h
-dns_lookup.o: dns.h
-dns_lookup.o: dns_lookup.c
-dns_rr.o: ../../include/check_arg.h
-dns_rr.o: ../../include/msg.h
-dns_rr.o: ../../include/myaddrinfo.h
-dns_rr.o: ../../include/mymalloc.h
-dns_rr.o: ../../include/myrand.h
-dns_rr.o: ../../include/sock_addr.h
-dns_rr.o: ../../include/sys_defs.h
-dns_rr.o: ../../include/vbuf.h
-dns_rr.o: ../../include/vstring.h
-dns_rr.o: dns.h
-dns_rr.o: dns_rr.c
+dns_rr_eq_sa.o: dns.h
+dns_rr_eq_sa.o: dns_rr_eq_sa.c
dns_rr_eq_sa.o: ../../include/check_arg.h
dns_rr_eq_sa.o: ../../include/msg.h
dns_rr_eq_sa.o: ../../include/myaddrinfo.h
@@ -311,8 +302,8 @@ dns_rr_eq_sa.o: ../../include/sock_addr.h
dns_rr_eq_sa.o: ../../include/sys_defs.h
dns_rr_eq_sa.o: ../../include/vbuf.h
dns_rr_eq_sa.o: ../../include/vstring.h
-dns_rr_eq_sa.o: dns.h
-dns_rr_eq_sa.o: dns_rr_eq_sa.c
+dns_rr_filter.o: dns.h
+dns_rr_filter.o: dns_rr_filter.c
dns_rr_filter.o: ../../include/argv.h
dns_rr_filter.o: ../../include/check_arg.h
dns_rr_filter.o: ../../include/dict.h
@@ -325,8 +316,19 @@ dns_rr_filter.o: ../../include/sys_defs.h
dns_rr_filter.o: ../../include/vbuf.h
dns_rr_filter.o: ../../include/vstream.h
dns_rr_filter.o: ../../include/vstring.h
-dns_rr_filter.o: dns.h
-dns_rr_filter.o: dns_rr_filter.c
+dns_rr.o: dns.h
+dns_rr.o: dns_rr.c
+dns_rr.o: ../../include/check_arg.h
+dns_rr.o: ../../include/msg.h
+dns_rr.o: ../../include/myaddrinfo.h
+dns_rr.o: ../../include/mymalloc.h
+dns_rr.o: ../../include/myrand.h
+dns_rr.o: ../../include/sock_addr.h
+dns_rr.o: ../../include/sys_defs.h
+dns_rr.o: ../../include/vbuf.h
+dns_rr.o: ../../include/vstring.h
+dns_rr_to_pa.o: dns.h
+dns_rr_to_pa.o: dns_rr_to_pa.c
dns_rr_to_pa.o: ../../include/check_arg.h
dns_rr_to_pa.o: ../../include/msg.h
dns_rr_to_pa.o: ../../include/myaddrinfo.h
@@ -334,8 +336,8 @@ dns_rr_to_pa.o: ../../include/sock_addr.h
dns_rr_to_pa.o: ../../include/sys_defs.h
dns_rr_to_pa.o: ../../include/vbuf.h
dns_rr_to_pa.o: ../../include/vstring.h
-dns_rr_to_pa.o: dns.h
-dns_rr_to_pa.o: dns_rr_to_pa.c
+dns_rr_to_sa.o: dns.h
+dns_rr_to_sa.o: dns_rr_to_sa.c
dns_rr_to_sa.o: ../../include/check_arg.h
dns_rr_to_sa.o: ../../include/msg.h
dns_rr_to_sa.o: ../../include/myaddrinfo.h
@@ -343,8 +345,8 @@ dns_rr_to_sa.o: ../../include/sock_addr.h
dns_rr_to_sa.o: ../../include/sys_defs.h
dns_rr_to_sa.o: ../../include/vbuf.h
dns_rr_to_sa.o: ../../include/vstring.h
-dns_rr_to_sa.o: dns.h
-dns_rr_to_sa.o: dns_rr_to_sa.c
+dns_sa_to_rr.o: dns.h
+dns_sa_to_rr.o: dns_sa_to_rr.c
dns_sa_to_rr.o: ../../include/check_arg.h
dns_sa_to_rr.o: ../../include/msg.h
dns_sa_to_rr.o: ../../include/myaddrinfo.h
@@ -352,16 +354,16 @@ dns_sa_to_rr.o: ../../include/sock_addr.h
dns_sa_to_rr.o: ../../include/sys_defs.h
dns_sa_to_rr.o: ../../include/vbuf.h
dns_sa_to_rr.o: ../../include/vstring.h
-dns_sa_to_rr.o: dns.h
-dns_sa_to_rr.o: dns_sa_to_rr.c
+dns_strerror.o: dns.h
+dns_strerror.o: dns_strerror.c
dns_strerror.o: ../../include/check_arg.h
dns_strerror.o: ../../include/myaddrinfo.h
dns_strerror.o: ../../include/sock_addr.h
dns_strerror.o: ../../include/sys_defs.h
dns_strerror.o: ../../include/vbuf.h
dns_strerror.o: ../../include/vstring.h
-dns_strerror.o: dns.h
-dns_strerror.o: dns_strerror.c
+dns_strrecord.o: dns.h
+dns_strrecord.o: dns_strrecord.c
dns_strrecord.o: ../../include/check_arg.h
dns_strrecord.o: ../../include/msg.h
dns_strrecord.o: ../../include/myaddrinfo.h
@@ -369,16 +371,24 @@ dns_strrecord.o: ../../include/sock_addr.h
dns_strrecord.o: ../../include/sys_defs.h
dns_strrecord.o: ../../include/vbuf.h
dns_strrecord.o: ../../include/vstring.h
-dns_strrecord.o: dns.h
-dns_strrecord.o: dns_strrecord.c
+dns_str_resflags.o: dns.h
+dns_str_resflags.o: dns_str_resflags.c
+dns_str_resflags.o: ../../include/check_arg.h
+dns_str_resflags.o: ../../include/myaddrinfo.h
+dns_str_resflags.o: ../../include/name_mask.h
+dns_str_resflags.o: ../../include/sock_addr.h
+dns_str_resflags.o: ../../include/sys_defs.h
+dns_str_resflags.o: ../../include/vbuf.h
+dns_str_resflags.o: ../../include/vstring.h
+dns_strtype.o: dns.h
+dns_strtype.o: dns_strtype.c
dns_strtype.o: ../../include/check_arg.h
dns_strtype.o: ../../include/myaddrinfo.h
dns_strtype.o: ../../include/sock_addr.h
dns_strtype.o: ../../include/sys_defs.h
dns_strtype.o: ../../include/vbuf.h
dns_strtype.o: ../../include/vstring.h
-dns_strtype.o: dns.h
-dns_strtype.o: dns_strtype.c
+test_dns_lookup.o: dns.h
test_dns_lookup.o: ../../include/argv.h
test_dns_lookup.o: ../../include/check_arg.h
test_dns_lookup.o: ../../include/mail_params.h
@@ -391,5 +401,4 @@ test_dns_lookup.o: ../../include/sys_defs.h
test_dns_lookup.o: ../../include/vbuf.h
test_dns_lookup.o: ../../include/vstream.h
test_dns_lookup.o: ../../include/vstring.h
-test_dns_lookup.o: dns.h
test_dns_lookup.o: test_dns_lookup.c
diff --git a/postfix/src/dns/dns.h b/postfix/src/dns/dns.h
index c3fb5a43a..8ea5b9178 100644
--- a/postfix/src/dns/dns.h
+++ b/postfix/src/dns/dns.h
@@ -300,6 +300,11 @@ extern int dns_rr_filter_execute(DNS_RR **);
#endif
+ /*
+ * dns_str_resflags.c
+ */
+const char *dns_str_resflags(unsigned long);
+
/* LICENSE
/* .ad
/* .fi
diff --git a/postfix/src/dns/dns_lookup.c b/postfix/src/dns/dns_lookup.c
index fe59aa647..f41a2a6c2 100644
--- a/postfix/src/dns/dns_lookup.c
+++ b/postfix/src/dns/dns_lookup.c
@@ -1084,8 +1084,8 @@ int dns_lookup_rl(const char *name, unsigned flags, DNS_RR **rrlist,
for (type = va_arg(ap, unsigned); type != 0; type = next) {
next = va_arg(ap, unsigned);
if (msg_verbose)
- msg_info("lookup %s type %s flags %d",
- name, dns_strtype(type), flags);
+ msg_info("lookup %s type %s flags %s",
+ name, dns_strtype(type), dns_str_resflags(flags));
status = dns_lookup_x(name, type, flags, rrlist ? &rr : (DNS_RR **) 0,
fqdn, why, rcode, lflags);
if (rrlist && rr)
@@ -1136,8 +1136,8 @@ int dns_lookup_rv(const char *name, unsigned flags, DNS_RR **rrlist,
for (type = *types++; type != 0; type = next) {
next = *types++;
if (msg_verbose)
- msg_info("lookup %s type %s flags %d",
- name, dns_strtype(type), flags);
+ msg_info("lookup %s type %s flags %s",
+ name, dns_strtype(type), dns_str_resflags(flags));
status = dns_lookup_x(name, type, flags, rrlist ? &rr : (DNS_RR **) 0,
fqdn, why, rcode, lflags);
if (rrlist && rr)
diff --git a/postfix/src/dns/dns_str_resflags.c b/postfix/src/dns/dns_str_resflags.c
new file mode 100644
index 000000000..4885dfe34
--- /dev/null
+++ b/postfix/src/dns/dns_str_resflags.c
@@ -0,0 +1,114 @@
+/*++
+/* NAME
+/* dns_str_resflags 3
+/* SUMMARY
+/* convert resolver flags to printable form
+/* SYNOPSIS
+/* #include
+/*
+/* const char *dns_str_resflags(mask)
+/* unsigned long mask;
+/* DESCRIPTION
+/* dns_str_resflags() converts RES_* resolver(5) flags from internal
+/* form to printable string. Individual flag names are separated
+/* with '|'. The result is overwritten with each call.
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
+/*--*/
+
+ /*
+ * System library.
+ */
+#include
+#include
+#include
+#include
+
+ /*
+ * Utility library.
+ */
+#include
+
+ /*
+ * DNS library.
+ */
+#include
+
+ /*
+ * Application-specific.
+ */
+
+ /*
+ * This list overlaps with dns_res_opt_masks[] in smtp.c, but there we
+ * permit only a small subset of all possible flags.
+ */
+static const LONG_NAME_MASK resflag_table[] = {
+ "RES_INIT", RES_INIT,
+ "RES_DEBUG", RES_DEBUG,
+ "RES_AAONLY", RES_AAONLY,
+ "RES_USEVC", RES_USEVC,
+ "RES_PRIMARY", RES_PRIMARY,
+ "RES_IGNTC", RES_IGNTC,
+ "RES_RECURSE", RES_RECURSE,
+ "RES_DEFNAMES", RES_DEFNAMES,
+ "RES_STAYOPEN", RES_STAYOPEN,
+ "RES_DNSRCH", RES_DNSRCH,
+ "RES_INSECURE1", RES_INSECURE1,
+ "RES_INSECURE2", RES_INSECURE2,
+ "RES_NOALIASES", RES_NOALIASES,
+ "RES_USE_INET6", RES_USE_INET6,
+ "RES_ROTATE", RES_ROTATE,
+ "RES_NOCHECKNAME", RES_NOCHECKNAME,
+ "RES_USE_EDNS0", RES_USE_EDNS0,
+ "RES_USE_DNSSEC", RES_USE_DNSSEC,
+#ifdef RES_KEEPTSIG
+ "RES_KEEPTSIG", RES_KEEPTSIG,
+#endif
+#ifdef RES_BLAST
+ "RES_BLAST", RES_BLAST,
+#endif
+#ifdef RES_USEBSTRING
+ "RES_USEBSTRING", RES_USEBSTRING,
+#endif
+#ifdef RES_NSID
+ "RES_NSID", RES_NSID,
+#endif
+#ifdef RES_NOIP6DOTINT
+ "RES_NOIP6DOTINT", RES_NOIP6DOTINT,
+#endif
+#ifdef RES_USE_DNAME
+ "RES_USE_DNAME", RES_USE_DNAME,
+#endif
+#ifdef RES_NO_NIBBLE2
+ "RES_NO_NIBBLE2", RES_NO_NIBBLE2,
+#endif
+#ifdef RES_SNGLKUP
+ "RES_SNGLKUP", RES_SNGLKUP,
+#endif
+#ifdef RES_SNGLKUPREOP
+ "RES_SNGLKUPREOP", RES_SNGLKUPREOP,
+#endif
+#ifdef RES_NOTLDQUERY
+ "RES_NOTLDQUERY", RES_NOTLDQUERY,
+#endif
+ 0,
+};
+
+/* dns_str_resflags - convert RES_* resolver flags to printable form */
+
+const char *dns_str_resflags(unsigned long mask)
+{
+ static VSTRING *buf;
+
+ if (buf == 0)
+ buf = vstring_alloc(20);
+ return (str_long_name_mask_opt(buf, "dsns_str_resflags", resflag_table,
+ mask, NAME_MASK_NUMBER | NAME_MASK_PIPE));
+}
diff --git a/postfix/src/dns/dnsbl_ttl_127.0.0.1_bind_ncache.ref b/postfix/src/dns/dnsbl_ttl_127.0.0.1_bind_ncache.ref
index 134309fd6..cbfc05931 100644
--- a/postfix/src/dns/dnsbl_ttl_127.0.0.1_bind_ncache.ref
+++ b/postfix/src/dns/dnsbl_ttl_127.0.0.1_bind_ncache.ref
@@ -1,13 +1,13 @@
-./test_dns_lookup: lookup 1.0.0.127.zen.spamhaus.org type A flags 2097152
+./test_dns_lookup: lookup 1.0.0.127.zen.spamhaus.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 1.0.0.127.zen.spamhaus.org (A): Host not found
./test_dns_lookup: dns_get_answer: type SOA for zen.spamhaus.org
./test_dns_lookup: warning: Host or domain name not found. Name service error for name=1.0.0.127.zen.spamhaus.org type=A: Host not found (rcode=3)
1.0.0.127.zen.spamhaus.org: fqdn: zen.spamhaus.org
ad: 0, rr: zen.spamhaus.org. TTL IN SOA - - D D D D D
-./test_dns_lookup: lookup 1.0.0.127.b.barracudacentral.org type A flags 2097152
+./test_dns_lookup: lookup 1.0.0.127.b.barracudacentral.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 1.0.0.127.b.barracudacentral.org (A): Host not found
./test_dns_lookup: warning: Host or domain name not found. Name service error for name=1.0.0.127.b.barracudacentral.org type=A: Host not found (rcode=3)
-./test_dns_lookup: lookup 1.0.0.127.bl.spamcop.net type A flags 2097152
+./test_dns_lookup: lookup 1.0.0.127.bl.spamcop.net type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 1.0.0.127.bl.spamcop.net (A): Host not found
./test_dns_lookup: dns_get_answer: type SOA for bl.spamcop.net
./test_dns_lookup: warning: Host or domain name not found. Name service error for name=1.0.0.127.bl.spamcop.net type=A: Host not found (rcode=3)
diff --git a/postfix/src/dns/dnsbl_ttl_127.0.0.1_bind_plain.ref b/postfix/src/dns/dnsbl_ttl_127.0.0.1_bind_plain.ref
index e5741d34c..eee08eb16 100644
--- a/postfix/src/dns/dnsbl_ttl_127.0.0.1_bind_plain.ref
+++ b/postfix/src/dns/dnsbl_ttl_127.0.0.1_bind_plain.ref
@@ -1,9 +1,9 @@
-./test_dns_lookup: lookup 1.0.0.127.zen.spamhaus.org type A flags 2097152
+./test_dns_lookup: lookup 1.0.0.127.zen.spamhaus.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 1.0.0.127.zen.spamhaus.org (A): Host not found
./test_dns_lookup: warning: Host or domain name not found. Name service error for name=1.0.0.127.zen.spamhaus.org type=A: Host not found (rcode=3)
-./test_dns_lookup: lookup 1.0.0.127.b.barracudacentral.org type A flags 2097152
+./test_dns_lookup: lookup 1.0.0.127.b.barracudacentral.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 1.0.0.127.b.barracudacentral.org (A): Host not found
./test_dns_lookup: warning: Host or domain name not found. Name service error for name=1.0.0.127.b.barracudacentral.org type=A: Host not found (rcode=3)
-./test_dns_lookup: lookup 1.0.0.127.bl.spamcop.net type A flags 2097152
+./test_dns_lookup: lookup 1.0.0.127.bl.spamcop.net type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 1.0.0.127.bl.spamcop.net (A): Host not found
./test_dns_lookup: warning: Host or domain name not found. Name service error for name=1.0.0.127.bl.spamcop.net type=A: Host not found (rcode=3)
diff --git a/postfix/src/dns/dnsbl_ttl_127.0.0.2_bind_plain.ref b/postfix/src/dns/dnsbl_ttl_127.0.0.2_bind_plain.ref
index 06bc7d848..f1eb56b2d 100644
--- a/postfix/src/dns/dnsbl_ttl_127.0.0.2_bind_plain.ref
+++ b/postfix/src/dns/dnsbl_ttl_127.0.0.2_bind_plain.ref
@@ -1,14 +1,14 @@
-./test_dns_lookup: lookup 2.0.0.127.zen.spamhaus.org type A flags 2097152
+./test_dns_lookup: lookup 2.0.0.127.zen.spamhaus.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 2.0.0.127.zen.spamhaus.org (A): OK
./test_dns_lookup: dns_get_answer: type A for 2.0.0.127.zen.spamhaus.org
2.0.0.127.zen.spamhaus.org: fqdn: 2.0.0.127.zen.spamhaus.org
ad: 0, rr: 2.0.0.127.zen.spamhaus.org. TTL IN A 127.0.0.D
-./test_dns_lookup: lookup 2.0.0.127.b.barracudacentral.org type A flags 2097152
+./test_dns_lookup: lookup 2.0.0.127.b.barracudacentral.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 2.0.0.127.b.barracudacentral.org (A): OK
./test_dns_lookup: dns_get_answer: type A for 2.0.0.127.b.barracudacentral.org
2.0.0.127.b.barracudacentral.org: fqdn: 2.0.0.127.b.barracudacentral.org
ad: 0, rr: 2.0.0.127.b.barracudacentral.org. TTL IN A 127.0.0.D
-./test_dns_lookup: lookup 2.0.0.127.bl.spamcop.net type A flags 2097152
+./test_dns_lookup: lookup 2.0.0.127.bl.spamcop.net type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: 2.0.0.127.bl.spamcop.net (A): OK
./test_dns_lookup: dns_get_answer: type A for 2.0.0.127.bl.spamcop.net
2.0.0.127.bl.spamcop.net: fqdn: 2.0.0.127.bl.spamcop.net
diff --git a/postfix/src/dns/error.ref b/postfix/src/dns/error.ref
index 4b19ee499..806cfe042 100644
--- a/postfix/src/dns/error.ref
+++ b/postfix/src/dns/error.ref
@@ -1,10 +1,10 @@
-./test_dns_lookup: lookup spike.porcupine.org type A flags 2097152
+./test_dns_lookup: lookup spike.porcupine.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: spike.porcupine.org (A): OK
./test_dns_lookup: dns_get_answer: type A for spike.porcupine.org
./test_dns_lookup: dict_regexp_lookup: error.reg: spike.porcupine.org. 3600 IN A 168.100.189.2
./test_dns_lookup: maps_find: DNS reply filter: regexp:error.reg(0,lock|fold_fix): spike.porcupine.org. 3600 IN A 168.100.189.2 = oops
./test_dns_lookup: warning: DNS reply filter: unknown DNS filter action: "oops"
-./test_dns_lookup: lookup spike.porcupine.org type AAAA flags 2097152
+./test_dns_lookup: lookup spike.porcupine.org type AAAA flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: spike.porcupine.org (AAAA): OK
./test_dns_lookup: dns_get_answer: type AAAA for spike.porcupine.org
./test_dns_lookup: dict_regexp_lookup: error.reg: spike.porcupine.org. 3600 IN AAAA 2604:8d00:189::2
diff --git a/postfix/src/dns/mxonly_test.ref b/postfix/src/dns/mxonly_test.ref
index ec8eda54c..9437eb96f 100644
--- a/postfix/src/dns/mxonly_test.ref
+++ b/postfix/src/dns/mxonly_test.ref
@@ -1,9 +1,9 @@
-./test_dns_lookup: lookup porcupine.org type MX flags 2097152
+./test_dns_lookup: lookup porcupine.org type MX flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: porcupine.org (MX): OK
./test_dns_lookup: dns_get_answer: type MX for porcupine.org
./test_dns_lookup: dns_get_answer: type MX for porcupine.org
./test_dns_lookup: dns_get_answer: type MX for porcupine.org
-./test_dns_lookup: lookup porcupine.org type A flags 2097152
+./test_dns_lookup: lookup porcupine.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: porcupine.org (A): Host found but no data record of requested type
ad: 0, rr: porcupine.org. 3600 IN MX 10 spike.porcupine.org.
ad: 0, rr: porcupine.org. 3600 IN MX 20 fist.porcupine.org.
diff --git a/postfix/src/dns/no-a.ref b/postfix/src/dns/no-a.ref
index 72b64446e..88ba511c4 100644
--- a/postfix/src/dns/no-a.ref
+++ b/postfix/src/dns/no-a.ref
@@ -1,10 +1,10 @@
-./test_dns_lookup: lookup spike.porcupine.org type A flags 2097152
+./test_dns_lookup: lookup spike.porcupine.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: spike.porcupine.org (A): OK
./test_dns_lookup: dns_get_answer: type A for spike.porcupine.org
./test_dns_lookup: dict_regexp_lookup: no-a.reg: spike.porcupine.org. 3600 IN A 168.100.189.2
./test_dns_lookup: maps_find: DNS reply filter: regexp:no-a.reg(0,lock|fold_fix): spike.porcupine.org. 3600 IN A 168.100.189.2 = ignore
./test_dns_lookup: ignoring DNS RR: spike.porcupine.org. 3600 IN A 168.100.189.2
-./test_dns_lookup: lookup spike.porcupine.org type AAAA flags 2097152
+./test_dns_lookup: lookup spike.porcupine.org type AAAA flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: spike.porcupine.org (AAAA): OK
./test_dns_lookup: dns_get_answer: type AAAA for spike.porcupine.org
./test_dns_lookup: dict_regexp_lookup: no-a.reg: spike.porcupine.org. 3600 IN AAAA 2604:8d00:189::2
diff --git a/postfix/src/dns/no-aaaa.ref b/postfix/src/dns/no-aaaa.ref
index eabe0525a..f2a678c33 100644
--- a/postfix/src/dns/no-aaaa.ref
+++ b/postfix/src/dns/no-aaaa.ref
@@ -1,9 +1,9 @@
-./test_dns_lookup: lookup spike.porcupine.org type A flags 2097152
+./test_dns_lookup: lookup spike.porcupine.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: spike.porcupine.org (A): OK
./test_dns_lookup: dns_get_answer: type A for spike.porcupine.org
./test_dns_lookup: dict_regexp_lookup: no-aaaa.reg: spike.porcupine.org. 3600 IN A 168.100.189.2
./test_dns_lookup: maps_find: DNS reply filter: spike.porcupine.org. 3600 IN A 168.100.189.2: not found
-./test_dns_lookup: lookup spike.porcupine.org type AAAA flags 2097152
+./test_dns_lookup: lookup spike.porcupine.org type AAAA flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: spike.porcupine.org (AAAA): OK
./test_dns_lookup: dns_get_answer: type AAAA for spike.porcupine.org
./test_dns_lookup: dict_regexp_lookup: no-aaaa.reg: spike.porcupine.org. 3600 IN AAAA 2604:8d00:189::2
diff --git a/postfix/src/dns/no-mx.ref b/postfix/src/dns/no-mx.ref
index 314541b6a..37357941e 100644
--- a/postfix/src/dns/no-mx.ref
+++ b/postfix/src/dns/no-mx.ref
@@ -8,7 +8,7 @@
./test_dns_lookup: ignoring DNS RR: porcupine.org. 3600 IN MX 10 spike.porcupine.org.
./test_dns_lookup: ignoring DNS RR: porcupine.org. 3600 IN MX 20 fist.porcupine.org.
./test_dns_lookup: ignoring DNS RR: porcupine.org. 3600 IN MX 30 m1.porcupine.org.
-./test_dns_lookup: lookup porcupine.org type MX flags 2097152
+./test_dns_lookup: lookup porcupine.org type MX flags RES_USE_DNSSEC
./test_dns_lookup: maps_find: DNS reply filter: regexp:no-mx.reg(0,lock|fold_fix): porcupine.org. 3600 IN MX 10 spike.porcupine.org. = ignore
./test_dns_lookup: maps_find: DNS reply filter: regexp:no-mx.reg(0,lock|fold_fix): porcupine.org. 3600 IN MX 20 fist.porcupine.org. = ignore
./test_dns_lookup: maps_find: DNS reply filter: regexp:no-mx.reg(0,lock|fold_fix): porcupine.org. 3600 IN MX 30 m1.porcupine.org. = ignore
diff --git a/postfix/src/dns/nullmx_test.ref b/postfix/src/dns/nullmx_test.ref
index 176023889..2386b5361 100644
--- a/postfix/src/dns/nullmx_test.ref
+++ b/postfix/src/dns/nullmx_test.ref
@@ -1,7 +1,7 @@
-./test_dns_lookup: lookup nullmx.porcupine.org type MX flags 2097152
+./test_dns_lookup: lookup nullmx.porcupine.org type MX flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: nullmx.porcupine.org (MX): OK
./test_dns_lookup: dns_get_answer: type MX for nullmx.porcupine.org
-./test_dns_lookup: lookup nullmx.porcupine.org type A flags 2097152
+./test_dns_lookup: lookup nullmx.porcupine.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: nullmx.porcupine.org (A): OK
./test_dns_lookup: dns_get_answer: type A for nullmx.porcupine.org
nullmx.porcupine.org: fqdn: nullmx.porcupine.org
diff --git a/postfix/src/dns/nxdomain_test.ref b/postfix/src/dns/nxdomain_test.ref
index aecbeb454..15be203b1 100644
--- a/postfix/src/dns/nxdomain_test.ref
+++ b/postfix/src/dns/nxdomain_test.ref
@@ -1,5 +1,5 @@
-./test_dns_lookup: lookup nxdomain.porcupine.org type MX flags 2097152
+./test_dns_lookup: lookup nxdomain.porcupine.org type MX flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: nxdomain.porcupine.org (MX): Host not found
-./test_dns_lookup: lookup nxdomain.porcupine.org type A flags 2097152
+./test_dns_lookup: lookup nxdomain.porcupine.org type A flags RES_USE_DNSSEC
./test_dns_lookup: dns_query: nxdomain.porcupine.org (A): Host not found
./test_dns_lookup: warning: Host or domain name not found. Name service error for name=nxdomain.porcupine.org type=A: Host not found (rcode=3)
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index fbdcfed9d..de3453960 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20160221"
+#define MAIL_RELEASE_DATE "20160224"
#define MAIL_VERSION_NUMBER "3.2"
#ifdef SNAPSHOT