Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/me…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages
On Tue, Apr 08, 2014 at 08:48:22PM +0100, Jeremy Harris wrote:

> >        I would not recommend using DNS directly as this breaks
> >       systems that rely in part on /etc/hosts or other local nsswitch
> >       mechanisms.


The missing context was "for PTR lookups". Postfix uses explicit
DNS lookups for MX resolution and name->address resolution of MX
hosts, in the SMTP client, but uses just getnameinfo() in the SMTP
server. Perhaps this choice is not suitable for Exim, but I stand
by the "recommendation". I see no compelling reason to resolve
IP->name exclusively via DNS, but if you have your reasons, that's
fine.

The validation of the IP->name response is not terribly useful,
because you still need to forward-resolve the name, otherwise the
owner of the IP address is free to return any name of their choice.
As I said, I would apply DNSSEC (explicitly) only in the name->IP
direction. Again, you may have your reasons to do otherwise, just
trying to be helpful, if somewhat forceful about it...

-- 
    Viktor.