Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/me…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages
Viktor Dukhovni <viktor1dane@???> (Di 08 Apr 2014 23:35:57 CEST):
> On Tue, Apr 08, 2014 at 09:28:22PM +0200, Heiko Schlittermann wrote:
>
> > > Under the covers, if the address is on the public Internet, and
> > > requires DNS lookups for resolution, if the local resolver is
> > > configured to do DNSSEC, it will be validated. There is like at
> > > this time no reason for Exim to explicitly distinguish DNSSEC
> > > validated IP addresses from those that were obtained from unsigned
> > > zones. Therefore, if the goal is to simply filter out forgeries, the
> > > nameserver will already discard "bogus" results.
> >
> > But does the client application have a way to tell if the getnameinfo()
> > result is validated? Or failed because of a failed validation?
>
> My claim is that it does not matter. The IP->name mapping alone
> is not terribly interesting from a security perspective.


Probably we misunderstood each other. I was talking more about MX, A, AAA,
SRV lookups. You where probably talking about PTR lookups, aren't you?

--
Heiko