* Ted Cooper:
> DNSSEC just makes sure that the answers received in DNS lookups are
> valid
Yes.
> and came from the right place. Doesn't it?
No. The transport isn't secured at all. That's why the protocol is
so complex, and somewhat operationally challenging with current
software.
> I would have thought the responsibility for doing DNS lookups and
> validating them would fall to the resolver library. In the event there
> is a DNSSEC failure, the resolver simply returns SERVFAIL or lookup
> fail. The normal Exim behaviour when this happens is dependant on where
> it was called.
Client-side validation in short-lived processes does not work that
well because you'd have to walk back the chain of delegation to a
trust anchor, fetching DS and DNSKEY RRs at each point and performing
an RSA operation. You have to repeat the process for each MX host, so
for domains like exim.org (domain and all MXs in different TLDs), this
can be quite a bit of work. Usually, the costs are reduced by
caching, but if you use a process-specific validator in a short-lived
process, the efficiency of the cache is greatly reduced.
(I can't find the Postfix and Sendmail patches, BTW, so I don't know
what they are doing.)
--
Florian Weimer <fweimer@???>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99