X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d34c22b8288153f147af068d4c14ed8fcc8b9692..dce58c04af4439fec7269f83886e22b503756a8f:/doc/doc-docbook/spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 87e5e088f..c54437181 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -8120,7 +8120,7 @@ daemon as in the other SQL databases.
 
 .new
 .oindex &%sqlite_dbfile%&
-The preferred way of specifying the file is by using the 
+The preferred way of specifying the file is by using the
 &%sqlite_dbfile%& option, set to
 an absolute path.
 .wen
@@ -13290,6 +13290,18 @@ library, by setting:
 dns_dnssec_ok = 1
 .endd
 
+.new
+In addition, on Linux with glibc 2.31 or newer the resolver library will
+default to stripping out a successful validation status.
+This will break a previously working Exim installation.
+Provided that you do trust the resolver (ie, is on localhost) you can tell
+glibc to pass through any successful validation with a new option in
+&_/etc/resolv.conf_&:
+.code
+options trust-ad
+.endd
+.wen
+
 Exim does not perform DNSSEC validation itself, instead leaving that to a
 validating resolver (e.g. unbound, or bind with suitable configuration).
 
@@ -15418,6 +15430,18 @@ default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on.
 
 If the resolver library does not support DNSSEC then this option has no effect.
 
+.new
+On Linux with glibc 2.31 or newer this is insufficient, the resolver library
+will default to stripping out a successful validation status.
+This will break a previously working Exim installation.
+Provided that you do trust the resolver (ie, is on localhost) you can tell
+glibc to pass through any successful validation with a new option in
+&_/etc/resolv.conf_&:
+.code
+options trust-ad
+.endd
+.wen
+
 
 .option dns_ipv4_lookup main "domain list&!!" unset
 .cindex "IPv6" "DNS lookup for AAAA records"
@@ -16955,7 +16979,7 @@ received_header_text = Received: \
         ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
   by $primary_hostname \
   ${if def:received_protocol {with $received_protocol }}\
-  ${if def:tls_ver           { ($tls_ver)}}\
+  ${if def:tls_in_ver        { ($tls_in_ver)}}\
   ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\
   (Exim $version_number)\n\t\
   ${if def:sender_address \
@@ -16964,7 +16988,8 @@ received_header_text = Received: \
   ${if def:received_for {\n\tfor $received_for}}
 .endd
 
-The reference to the TLS cipher is omitted when Exim is built without TLS
+The references to the TLS version and cipher are
+omitted when Exim is built without TLS
 support. The use of conditional expansions ensures that this works for both
 locally generated messages and messages received from remote hosts, giving
 header lines such as the following: