Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/me…

Inizio della pagina
Delete this message
Reply to this message
Autore: Jeremy Harris
Data:  
To: exim-dev
Oggetto: Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages
On 08/04/14 19:57, Viktor Dukhovni wrote:
> On Sun, Apr 06, 2014 at 02:38:07PM +0100, Jeremy Harris wrote:
>
>> We'll be chasing the glibc issue separately, but exim might workaround by
>> either flipping the dnssec bit only while needed or by converting all
>> current use of gethostby* to use the newer res_search().
>
> Strong suggestion:
>
>      - Do not permanently change the global resolver options, this can break
>        various other libraries Exim might be linked with (LDAP, MySQL, ...).
>        Rather set and restore resolver options around each call (Exim is
>        not multi-threaded AFAIK).


Fair point.

>
>      - Do use getnameinfo() instead of gethostbyaddr() to perform address to
>        name lookups


Agreed, but low-priority given:

 >  I would not recomment using DNS directly as this breaks
>        systems that rely in part on /etc/hosts or other local nsswitch
>        mechanisms.


Disagree. Exim does exactly that; I assume it has done for some
time, and changing it is more likely to break things.

>
> Under the covers, if the address is on the public Internet, and
> requires DNS lookups for resolution, if the local resolver is
> configured to do DNSSEC, it will be validated. There is like at
> this time no reason for Exim to explicitly distinguish DNSSEC
> validated IP addresses from those that were obtained from unsigned
> zones. Therefore, if the goal is to simply filter out forgeries, the
> nameserver will already discard "bogus" results.
>
> In addition, PTR records by themselves are not trustworthy anyway
> until they are forward resolved and determined to match the query
> address. If you really want DNSSEC, you can apply it on the forward
> lookup, it is unlikely that in-addr.arpa will be signed any time
> soon.
>


ip6.arpa is - and I'd never have known if exim wasn't able to
distinguish:

$ dig +dnssec -x 2001:630:212:8::e:f40
[...]
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[...]
;; ANSWER SECTION:
0.4.f.0.e.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa. 86176
IN PTR ppsw-40-v6.csi.cam.ac.uk.
0.4.f.0.e.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa. 86176
IN RRSIG PTR 5 34 86400 20140423220159 20140325152738 54825
1.2.0.0.3.6.0.1.0.0.2.ip6.arpa.
DKLZfRxjP/w9OMmtvI7viBKnsOZcDA1KwnyB76ph2BIqM0DXRuzb04Xz
oFnJJNZW6UG7VLk6FurvFL/8IfqdigGH4JjpHZ6r9CZfwxAi0tN/1RsN
/DqiYlusf8fVAnm6WHjB4dcfg8wXqHr1HsIRrz5e4aM=



Note the "ad" set in flags.
-- 
Cheers,
    Jeremy