On 2013-03-15 at 03:26 -0400, Phil Pennock wrote:
> As prep work for perhaps one day finishing the DNSSEC support in Exim,
> I've gotten testdns.exim.org being served with DNSSEC signatures (with
> NSEC3 support).
*If* you configure a manual trust-anchor, as defined in that file, then
you'll be unable to visit:
http://www.invalid254.testdns.exim.org/
For most of the Internet's population, where most is "all but one, or
perhaps two, people", that hostname resolves just fine. Once we can get
exim.org signed, one day, that will invert so that anyone with a
validating resolver will not be able to visit that site.
Why bother?
Because if I'm going to test DNSSEC logic in Exim, I need to have
hostnames that explicitly _fail_ DNSSEC validation, so that I can ensure
not just that I haven't broken things that should work, but that I have
successfully broken things that should not work.
In this case, I simply included DS records for
invalid254.testdns.exim.org in the parent zone, testdns.exim.org, and
put DNSKEY records into the zone, but have not signed it, so there are
no NSEC/NSEC3 records. Combine with the signing policy on
testdns.exim.org not allowing for child opt-outs, and that was all
that's needed.
Separately: I saw from logs that someone on tahini tried to AXFR
testdns.exim.org from us0ns.globnix.net, a secondary, instead of the
primary (nlns.globnix.net). ACLs on the secondary updated to allow that
too.
-Phil