On 08/04/14 19:57, Viktor Dukhovni wrote:
> On Sun, Apr 06, 2014 at 02:38:07PM +0100, Jeremy Harris wrote:
>
>> We'll be chasing the glibc issue separately, but exim might workaround by
>> either flipping the dnssec bit only while needed or by converting all
>> current use of gethostby* to use the newer res_search().
>
> Strong suggestion:
>
> - Do not permanently change the global resolver options, this can break
> various other libraries Exim might be linked with (LDAP, MySQL, ...).
> Rather set and restore resolver options around each call (Exim is
> not multi-threaded AFAIK).
Fair point.
>
> - Do use getnameinfo() instead of gethostbyaddr() to perform address to
> name lookups
Agreed, but low-priority given:
> I would not recomment using DNS directly as this breaks
> systems that rely in part on /etc/hosts or other local nsswitch
> mechanisms.
Disagree. Exim does exactly that; I assume it has done for some
time, and changing it is more likely to break things.
>
> Under the covers, if the address is on the public Internet, and
> requires DNS lookups for resolution, if the local resolver is
> configured to do DNSSEC, it will be validated. There is like at
> this time no reason for Exim to explicitly distinguish DNSSEC
> validated IP addresses from those that were obtained from unsigned
> zones. Therefore, if the goal is to simply filter out forgeries, the
> nameserver will already discard "bogus" results.
>
> In addition, PTR records by themselves are not trustworthy anyway
> until they are forward resolved and determined to match the query
> address. If you really want DNSSEC, you can apply it on the forward
> lookup, it is unlikely that in-addr.arpa will be signed any time
> soon.
>
ip6.arpa is - and I'd never have known if exim wasn't able to
distinguish:
$ dig +dnssec -x 2001:630:212:8::e:f40
[...]
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[...]
;; ANSWER SECTION:
0.4.f.0.e.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa. 86176
IN PTR ppsw-40-v6.csi.cam.ac.uk.
0.4.f.0.e.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa. 86176
IN RRSIG PTR 5 34 86400 20140423220159 20140325152738 54825
1.2.0.0.3.6.0.1.0.0.2.ip6.arpa.
DKLZfRxjP/w9OMmtvI7viBKnsOZcDA1KwnyB76ph2BIqM0DXRuzb04Xz
oFnJJNZW6UG7VLk6FurvFL/8IfqdigGH4JjpHZ6r9CZfwxAi0tN/1RsN
/DqiYlusf8fVAnm6WHjB4dcfg8wXqHr1HsIRrz5e4aM=
Note the "ad" set in flags.
--
Cheers,
Jeremy