Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/me…

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Heiko Schlittermann
日付:  
To: exim-dev
題目: Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages
Jeremy Harris <jgh@???> (Di 08 Apr 2014 21:49:34 CEST):
> On 08/04/14 20:28, Heiko Schlittermann wrote:
> >Viktor Dukhovni <viktor1dane@???> (Di 08 Apr 2014 20:57:43 CEST):
> >…
> >>     - Do use getnameinfo() instead of gethostbyaddr() to perform address to
> >>       name lookups.  I would not recomment using DNS directly as this breaks
> >>       systems that rely in part on /etc/hosts or other local nsswitch
> >>       mechanisms.

> >
> >+1
> >
> >>Under the covers, if the address is on the public Internet, and
> >>requires DNS lookups for resolution, if the local resolver is
> >>configured to do DNSSEC, it will be validated. There is like at
> >>this time no reason for Exim to explicitly distinguish DNSSEC
> >>validated IP addresses from those that were obtained from unsigned
> >>zones. Therefore, if the goal is to simply filter out forgeries, the
> >>nameserver will already discard "bogus" results.
> >
> >But does the client application have a way to tell if the getnameinfo()
> >result is validated? Or failed because of a failed validation?
>
> No - or at least I'm not aware of one.


How should Exim implement DANE or other trust related things if there is
no way to know about the trustworthyness (?) of just a DNS answer. I
can imagine, that some day the libc resolver can set a flag
'validated', and, if failed, tell a bit more than 'host not found', may
be something like 'signature expired', 'signature broken'…

If I understand well, Exim needs to use the DNS directly, MX lookups,
SRV lookup and the like is nothing getnameinfo() & co can do for us.

If Exim gets the MX name from DNS, what do I expect for the MX name's IP?
DNS too, or obeying nsswitch.conf by using the libc resolver?

How trustworthy is an address I got from /etc/hosts? (But
nss and the libc resolver won't tell me the origin of the address anyway.)

Just loudly thinking, I do not expect any answer :)
--
Heiko