Jeremy Harris <jgh@???> (Di 08 Apr 2014 21:49:34 CEST):
> On 08/04/14 20:28, Heiko Schlittermann wrote:
> >Viktor Dukhovni <viktor1dane@???> (Di 08 Apr 2014 20:57:43 CEST):
> >…
> >> - Do use getnameinfo() instead of gethostbyaddr() to perform address to
> >> name lookups. I would not recomment using DNS directly as this breaks
> >> systems that rely in part on /etc/hosts or other local nsswitch
> >> mechanisms.
> >
> >+1
> >
> >>Under the covers, if the address is on the public Internet, and
> >>requires DNS lookups for resolution, if the local resolver is
> >>configured to do DNSSEC, it will be validated. There is like at
> >>this time no reason for Exim to explicitly distinguish DNSSEC
> >>validated IP addresses from those that were obtained from unsigned
> >>zones. Therefore, if the goal is to simply filter out forgeries, the
> >>nameserver will already discard "bogus" results.
> >
> >But does the client application have a way to tell if the getnameinfo()
> >result is validated? Or failed because of a failed validation?
>
> No - or at least I'm not aware of one.
How should Exim implement DANE or other trust related things if there is
no way to know about the trustworthyness (?) of just a DNS answer. I
can imagine, that some day the libc resolver can set a flag
'validated', and, if failed, tell a bit more than 'host not found', may
be something like 'signature expired', 'signature broken'…
If I understand well, Exim needs to use the DNS directly, MX lookups,
SRV lookup and the like is nothing getnameinfo() & co can do for us.
If Exim gets the MX name from DNS, what do I expect for the MX name's IP?
DNS too, or obeying nsswitch.conf by using the libc resolver?
How trustworthy is an address I got from /etc/hosts? (But
nss and the libc resolver won't tell me the origin of the address anyway.)
Just loudly thinking, I do not expect any answer :)
--
Heiko
