+HEADER * h = (HEADER *) dnsa->answer;
+const uschar * auth_name;
+const uschar * trusted;
+
+if (h->ad) return TRUE;
+
+/* If the resolver we ask is authoritive for the domain in question, it
+* may not set the AD but the AA bit. If we explicitly trust
+* the resolver for that domain (via a domainlist in dns_trust_aa),
+* we return TRUE to indicate a secure answer.
+*/
+
+if ( !h->aa
+ || !dns_trust_aa
+ || !(trusted = expand_string(dns_trust_aa))
+ || !*trusted
+ || !(auth_name = dns_extract_auth_name(dnsa))
+ || OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL,
+ MCL_DOMAIN, TRUE, NULL)
+ )
+ return FALSE;
+
+DEBUG(D_dns) debug_printf("DNS faked the AD bit "
+ "(got AA and matched with dns_trust_aa (%s in %s))\n",
+ auth_name, dns_trust_aa);
+
+return TRUE;