Re: [exim] exim and dnssec

Ted Cooper wrote:
> So I had a little bit of a browse around and it seems that Postfix and
> Sendmail have DNSSEC support where they wont deliver outbound email to
> fraudulently signed MX records which specify verification is required.
>
> This is rather puzzling since I was under the impression that DNSSEC was
> meant to be completely transparent, at the resolver layer and simply
> wouldn't return results if they were invalid. ie SERVFAIL or similar.

Basically both is correct.
In case you have a DNSSec enabled resolver, it will verify the
responses. If it fails it will return a SERVFAIL to the stub resolver.
Exception: You set the CD (checking disabled) flag in the request. In
that case the querier will get the information no matter what.

Additionally you may explicitly set the DO (DNSSec okay) flag in your
(EDNS0 enabled) request to get the RRSIG RRs for the returned RRs.

In principle the stub resolver could also do the verification. So far I
haven't seen any stub resolver doing that.

In case neither your resolver nor your stub resolver verify the DNS
responses, you may do so in the application. Additionally in case you
don't own the resolver, you might not want to trust it.

Problem is you don't want to maintain the trust anchor in all your
applications.

One option is to do all queries with DO and check the AD (authentic
data) flag and indicate that. Only I don't know where.

Andre
--
If you are feeling good, don't worry; you'll get over it.