Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/me…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages
On Sun, Apr 06, 2014 at 02:38:07PM +0100, Jeremy Harris wrote:

> We'll be chasing the glibc issue separately, but exim might workaround by
> either flipping the dnssec bit only while needed or by converting all
> current use of gethostby* to use the newer res_search().


Strong suggestion:

    - Do not permanently change the global resolver options, this can break
      various other libraries Exim might be linked with (LDAP, MySQL, ...).
      Rather set and restore resolver options around each call (Exim is
      not multi-threaded AFAIK).


    - Do use getnameinfo() instead of gethostbyaddr() to perform address to
      name lookups.  I would not recomment using DNS directly as this breaks
      systems that rely in part on /etc/hosts or other local nsswitch
      mechanisms.


Under the covers, if the address is on the public Internet, and
requires DNS lookups for resolution, if the local resolver is
configured to do DNSSEC, it will be validated. There is like at
this time no reason for Exim to explicitly distinguish DNSSEC
validated IP addresses from those that were obtained from unsigned
zones. Therefore, if the goal is to simply filter out forgeries, the
nameserver will already discard "bogus" results.

In addition, PTR records by themselves are not trustworthy anyway
until they are forward resolved and determined to match the query
address. If you really want DNSSEC, you can apply it on the forward
lookup, it is unlikely that in-addr.arpa will be signed any time
soon.

-- 
    Viktor.