Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/me…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages
Viktor Dukhovni <viktor1dane@???> (Di 08 Apr 2014 20:57:43 CEST):

>     - Do use getnameinfo() instead of gethostbyaddr() to perform address to
>       name lookups.  I would not recomment using DNS directly as this breaks
>       systems that rely in part on /etc/hosts or other local nsswitch
>       mechanisms.


+1

> Under the covers, if the address is on the public Internet, and
> requires DNS lookups for resolution, if the local resolver is
> configured to do DNSSEC, it will be validated. There is like at
> this time no reason for Exim to explicitly distinguish DNSSEC
> validated IP addresses from those that were obtained from unsigned
> zones. Therefore, if the goal is to simply filter out forgeries, the
> nameserver will already discard "bogus" results.


But does the client application have a way to tell if the getnameinfo()
result is validated? Or failed because of a failed validation?

    Viele Grüße aus Dresden
    Heiko 
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-