On Tue, 2009-07-14 at 21:48 +0200, Mark Elkins wrote:
> Is anyone looking at having Exim become DNSSEC aware - look at the AD
> bit - stuff like that. Perhaps add the DNS Status as a mail header? - or
> as a variable so that tests can be done?
>
> The root gets signed by the end of the year.
>
> just thinking out aloud in key strokes.
DNSSEC just makes sure that the answers received in DNS lookups are
valid and came from the right place. Doesn't it?
My understanding of DNSSEC is fairly basic at this time as I haven't had
the time to attempt to deploy it on my zones or resolver yet.
I would have thought the responsibility for doing DNS lookups and
validating them would fall to the resolver library. In the event there
is a DNSSEC failure, the resolver simply returns SERVFAIL or lookup
fail. The normal Exim behaviour when this happens is dependant on where
it was called.
Say it was when doing a "verify = recipient" - in this case the default
Exim config (and I would have thought everyones) would defer the RCPT TO
temporarily and stick a message in the log file. A DNSSEC failure and a
complete DNS lookup failure would be identical in the present. You
wouldn't want to accept mail from a domain that was NXDOMAIN or SERVFAIL
at that point.
Am I looking this the wrong way, or have I missed the point of DNSSEC?
Could you be more specific as to what you think should change in Exim to
support DNSSEC and where you would use it?
--
The Exim manual -
http://docs.exim.org
