Re: [exim] exim and dnssec

Top Page

Reply to this message
Author: Mark Elkins
To: exim-users
Subject: Re: [exim] exim and dnssec
On Wed, 2009-07-15 at 13:09 +1000, Ted Cooper wrote:
> On Tue, 2009-07-14 at 21:48 +0200, Mark Elkins wrote:
> > Is anyone looking at having Exim become DNSSEC aware - look at the AD
> > bit - stuff like that. Perhaps add the DNS Status as a mail header? - or
> > as a variable so that tests can be done?
> >
> > The root gets signed by the end of the year.
> >
> > just thinking out aloud in key strokes.
> DNSSEC just makes sure that the answers received in DNS lookups are
> valid and came from the right place. Doesn't it?

(I'm very green at DNSSEC but...)
There are three (four?) possible states...
1 - The DNS query is not signed.
2 - The DNS query is signed and the answer is verified correct
3.1 - The DNS query is signed and the answer is verified incorrect
      because someone is injecting a Cache server with bad information.
3.2 - The DNS query is signed and the answer is verified incorrect
      because someone has broken something (very lightly to happen!).

I have no idea if the standard DNS lookup calls even give this bit back
(getaddrinfo() - etc). I do know that there are various patches (or
clues) available at

> My understanding of DNSSEC is fairly basic at this time as I haven't had
> the time to attempt to deploy it on my zones or resolver yet.
> I would have thought the responsibility for doing DNS lookups and
> validating them would fall to the resolver library. In the event there
> is a DNSSEC failure, the resolver simply returns SERVFAIL or lookup
> fail. The normal Exim behaviour when this happens is dependant on where
> it was called.

I think the resolver just sets the flags and allows the application to make
up its own mind as to what to do. That is how it was explained to me.

> Say it was when doing a "verify = recipient" - in this case the default
> Exim config (and I would have thought everyones) would defer the RCPT TO
> temporarily and stick a message in the log file. A DNSSEC failure and a
> complete DNS lookup failure would be identical in the present. You
> wouldn't want to accept mail from a domain that was NXDOMAIN or SERVFAIL
> at that point.
> Am I looking this the wrong way, or have I missed the point of DNSSEC?
> Could you be more specific as to what you think should change in Exim to
> support DNSSEC and where you would use it?

I was thinking along the lines of making the info available - and allowing
people to make up their own minds.

ie - if the DNS is signed but has failed validation - then defer anything
to do with that e-mail. Failure could mean either someone injecting bad
records or someone has broken something.

DNSSEC also means that its possible to insert 'Security Key' info into the
DNS that is reasonably tamper proof (assuming the zone is signed).
ie - it would be a simple way to add trust. ie for PGP signatures, dkim or

I'm only trying to explore ideas.

> --
> The Exim manual -

  .  .     ___. .__      Posix Systems - Sth Africa
 /| /|       / /__       mje@???  -  Mark J Elkins, SCO ACE,
Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496