On Tue, Apr 08, 2014 at 09:28:22PM +0200, Heiko Schlittermann wrote:
> > Under the covers, if the address is on the public Internet, and
> > requires DNS lookups for resolution, if the local resolver is
> > configured to do DNSSEC, it will be validated. There is like at
> > this time no reason for Exim to explicitly distinguish DNSSEC
> > validated IP addresses from those that were obtained from unsigned
> > zones. Therefore, if the goal is to simply filter out forgeries, the
> > nameserver will already discard "bogus" results.
>
> But does the client application have a way to tell if the getnameinfo()
> result is validated? Or failed because of a failed validation?
My claim is that it does not matter. The IP->name mapping alone
is not terribly interesting from a security perspective.
--
Viktor.