Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/me…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages
On 08/04/14 20:28, Heiko Schlittermann wrote:
> Viktor Dukhovni <viktor1dane@???> (Di 08 Apr 2014 20:57:43 CEST):
> …
>>      - Do use getnameinfo() instead of gethostbyaddr() to perform address to
>>        name lookups.  I would not recomment using DNS directly as this breaks
>>        systems that rely in part on /etc/hosts or other local nsswitch
>>        mechanisms.

>
> +1
>
>> Under the covers, if the address is on the public Internet, and
>> requires DNS lookups for resolution, if the local resolver is
>> configured to do DNSSEC, it will be validated. There is like at
>> this time no reason for Exim to explicitly distinguish DNSSEC
>> validated IP addresses from those that were obtained from unsigned
>> zones. Therefore, if the goal is to simply filter out forgeries, the
>> nameserver will already discard "bogus" results.
>
> But does the client application have a way to tell if the getnameinfo()
> result is validated? Or failed because of a failed validation?


No - or at least I'm not aware of one.
--
Jeremy