------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=864
Simon Arlott <bugzilla.exim.simon@???> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugzilla.exim.simon@???
| |rg
--- Comment #6 from Simon Arlott <bugzilla.exim.simon@???> 2009-09-22 22:18:09 ---
DNSSEC introduces the CD (checking disabled), DO (do DNSSEC) and AD (authentic
data) flags.
Exim can make a query with DO set. If the response has the AD flag then the
response is valid and authentic. If it returns SERVFAIL and another query with
CD returns data then DNSSEC validation failed... or it timed out before but
worked the second time.
There has to be a way to do this in a single query, but there doesn't appear to
be any way to distinguish between "not authentic" and "signature not required".
Querying with DO and CD returns the RRSIG RRs too... which just means that they
exist. If the response doesn't have AD set, it doesn't imply it should have
been signed but failed validation. Equally, if the RRSIG RRs don't exist then
there's no way of knowing that they should have been there.
If you don't trust the resolver on your local network, then a local caching
resolver is practically required, unless you intend to quickly retrieve all the
relevant key information to fully validate DNSSEC on every request... from a
resolver you don't trust.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
