Re: [exim-dev] [Bug 864] DNSSEC Support

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 864] DNSSEC Support
On Thu, Apr 24, 2014 at 02:09:16PM +0100, Jeremy Harris wrote:

> --- Comment #8 from Jeremy Harris <jgh146exb@???> 2014-04-24 14:09:16 ---
> fd3b6a4 adds support for dnssec in dnsdb lookups.
>
> Doing an enquiry-only is still cumbersome: a dnssec_lax, dnssec_strict pair is
> needed.


What is the purpose of explicit DNSSEC lookups outside the context
of DANE? The local validating resolver will by default trun bogus
DNS replies into ServFail, so all replies seen by Exim will be
either "secure" or explicitly opted out by the parent domain.

So it seems to me that there is little point in DNSSEC lookups
unless something meaningful can be done with the security status
of the response. With DANE you need the security status of the
MX, A/AAAA and associated TLSA RRsets. Otherwise, why explicit
DNSSEC in Exim?

-- 
    Viktor.