+HEADER *h = (HEADER *) dnsa->answer;
+
+if (h->ad) return TRUE;
+else
+ {
+ /* If the resolver we ask is authoritive for the domain in question, it
+ * may not set the AD but the AA bit. If we explicitly trust
+ * the resolver for that domain (via a domainlist in dns_trust_aa),
+ * we return TRUE to indicate a secure answer.
+ */
+ const uschar *auth_name;
+ const uschar *trusted;
+
+ if (!h->aa || !dns_trust_aa) return FALSE;
+
+ trusted = expand_string(dns_trust_aa);
+ auth_name = dns_extract_auth_name(dnsa);
+ if (OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL))
+ return FALSE;
+
+ DEBUG(D_dns)
+ debug_printf("DNS faked the AD bit (got AA and matched with dns_trust_aa (%s in %s))\n", auth_name, dns_trust_aa);
+
+ return TRUE;
+}