[exim-dev] [Bug 864] DNSSEC Support

Top Page
Delete this message
Reply to this message
Author: Ted Cooper
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 864] DNSSEC Support
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=864




--- Comment #3 from Ted Cooper <eximX0902w@???> 2009-07-17 00:58:54 ---
We kinda went into this on the exim-users list, but I really should have put my
thinking in here too.

The UNIX model of using the local caching resolver, while valid and giving
essentially the exact same final outcome, does get the additional information
associated with validated lookups. This method only gives the result as a valid
set of RRs, NXDOMAIN, or SERVFAIL. There is no way to tell between verification
failing and a true SERVFAIL. The Exim model is to give as much information to
the ACLs and conditions as possible to allow people to do whatever magic foo
they wish.

You should be able to trust your LAN resolver.

After having the issue brought up on the mailing list and checking out some of
the sites regarding it, I found that Postfix and Sendmail had patches
available, and I didn't want Exim to be left out in the cold ;) After some more
looking today, it seems that these patches are supplied by a commercial entity
paid by the US govt (DHS)[1][2] to help push DNSSEC adoption along. I have been
unable to find anything related to the patches on the either of the other MTA
official websites.

So, the question becomes - Is this a worthwhile addition to Exim? ie Should
Exim have the ability to do its own DNSSEC validation dependent on user flags
and set some variables which can be used in expansions to make decisions. At
this point, it would be an EXPERIMENTAL addition with no backwards incompatible
configuration changes.



[1] http://www.dnssec-deployment.org/
[2] http://www.dnssec-tools.org/


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email