Re: [exim] exim and dnssec

Top Page
Delete this message
Reply to this message
Author: Ted Cooper
Date:  
To: exim-users
Subject: Re: [exim] exim and dnssec
On Wed, 2009-07-15 at 10:45 +0200, Mark Elkins wrote:
> On Wed, 2009-07-15 at 13:09 +1000, Ted Cooper wrote:
> > On Tue, 2009-07-14 at 21:48 +0200, Mark Elkins wrote:
> > > Is anyone looking at having Exim become DNSSEC aware - look at the AD
> > > bit - stuff like that. Perhaps add the DNS Status as a mail header? - or
> > > as a variable so that tests can be done?
> > >
> > > The root gets signed by the end of the year.
> > >
> > > just thinking out aloud in key strokes.
> >
> > DNSSEC just makes sure that the answers received in DNS lookups are
> > valid and came from the right place. Doesn't it?
>
> (I'm very green at DNSSEC but...)
> There are three (four?) possible states...
> 1 - The DNS query is not signed.
> 2 - The DNS query is signed and the answer is verified correct
> 3.1 - The DNS query is signed and the answer is verified incorrect
>       because someone is injecting a Cache server with bad information.
> 3.2 - The DNS query is signed and the answer is verified incorrect
>       because someone has broken something (very lightly to happen!).

>
>
> I have no idea if the standard DNS lookup calls even give this bit back
> (getaddrinfo() - etc). I do know that there are various patches (or
> clues) available at http://www.dnssec-deployment.org/tracker/


So I had a little bit of a browse around and it seems that Postfix and
Sendmail have DNSSEC support where they wont deliver outbound email to
fraudulently signed MX records which specify verification is required.

This is rather puzzling since I was under the impression that DNSSEC was
meant to be completely transparent, at the resolver layer and simply
wouldn't return results if they were invalid. ie SERVFAIL or similar.

At this point I'm hoping that someone else here might know more about
the specifics of how DNSSEC is supposed to work at the application
level.

The Sendmail and Postfix patches seem to use libval, a DNSSEC validation
library. If it was to be added as a dependency to Exim, we'd have to
make it a conditional build inclusion.

Support should probably be added to "sender = verify" type lookups,
"dnsdb" lookups, routers and transports.

libspf2 has a patch/update to it as well, but I don't know if anything
changes with that interface or if additional calls are required to get
the DNSSEC status of the SPF result - I don't think it would change but
it probably needs to be checked.

I'll open up a bugzilla entry for it, but before I have a half arsed
look at it, is there anyone willing to program it up?

--
The Exim manual - http://docs.exim.org