-else
- {
- /* If the resolver we ask is authoritive for the domain in question, it
- * may not set the AD but the AA bit. If we explicitly trust
- * the resolver for that domain (via a domainlist in dns_trust_aa),
- * we return TRUE to indicate a secure answer.
- */
- const uschar *auth_name;
- const uschar *trusted;
-
- if (!h->aa || !dns_trust_aa) return FALSE;
-
- trusted = expand_string(dns_trust_aa);
- auth_name = dns_extract_auth_name(dnsa);
- if (OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL))
- return FALSE;