[exim-dev] testdns.exim.org and DNSSEC

Folks,

As prep work for perhaps one day finishing the DNSSEC support in Exim,
I've gotten testdns.exim.org being served with DNSSEC signatures (with
NSEC3 support).

Unfortunately, the exim.org hoster can't take DS records safely (we'd
have to switch to bind format, and even then it would be dangerous,
since they reject DNS/TCP and so large responses risk breaking
resolution). Indeed, I can't even add testdns.exim.org to dlv.isc.org
because the lack of TCP support breaks their verification system.

So, in the mean-time, if you want to test DNSSEC with entries from
testdns.exim.org, you'll have to manually add a zone trust anchor you
your verifying resolver. This PGP-signed email serves as
evidence/notification of the trust anchor in use. Because this is a
test zone, the only people affected by stale anchors will be people
debugging Exim in the presence of DNSSEC, so it's not too bad to have
random resolver configs having this key in them. *cough*

You either want DS keys or the DNSKEY for your setup.

testdns.exim.org. IN DS 26805 7 1 7437B150A8E7CA7E10581CBD878AC63FC2871F00
testdns.exim.org. IN DS 26805 7 2 4DA3410D5A84C4025132A9F54DADC664E3F95B80C9962A156689A202 3DAF5507

testdns.exim.org. IN DNSKEY 257 3 7 AwEAAc5ohRTM6+7LtFaTnJN6aqTfoCve8DSCysD/qBaaZTb2N3xgnxqB KOAMVgD1ETLDQW03UaipyptdSncJPo2Sd3Mtcmd80zldKUAfAmSPN8C4 TMM8LEYjCyJ77PD6PVj24e836dMI9MzktkfSQKutTgyhi2SJcqn/SGRf 2O29S7+NcZ0ABehq1HKMFhhRM27KnpLQMww2KjeB9822EPyd+sWNMNMd IdvrIkdNGNPzWdK1UnCnFkgUJ0oszRCs5tJKCJhO7Bh0Yj7hIRdsH2Vf wZ/F4aB0jptxz+bFt9upEOWYDIhnmWxyLS1jThyfddzMzVHth6DutJgf v7ASDXhe88c=

In unbound.conf, the validating resolver I use, it's as simple as a
"trust-anchor:" directive in the "server:" block.

$ dig +dnssec -t a mx4.valid254.testdns.exim.org

If that sets the "ad" flag in the response header, you have verification
working and the trust anchor in place.

Regards,
-Phil