Re: [exim-dev] [Bug 864] DNSSEC Support

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MViktor Dukhovni at <-
MViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 864] DNSSEC Support
On 24/04/14 14:21, Viktor Dukhovni wrote:
> What is the purpose of explicit DNSSEC lookups outside the context
> of DANE? The local validating resolver will by default trun bogus
> DNS replies into ServFail, so all replies seen by Exim will be
> either "secure" or explicitly opted out by the parent domain.
>
> So it seems to me that there is little point in DNSSEC lookups
> unless something meaningful can be done with the security status
> of the response. With DANE you need the security status of the
> MX, A/AAAA and associated TLSA RRsets. Otherwise, why explicit
> DNSSEC in Exim?

It's a tool in the toolbox, just like having explicit
dnsdb lookups is.

For example, I'm considering coding up some longterm tracking
of sites I send to and their use of dnssec. I might want to
ring alarm-bells if it's been stably there and goes away.
This is the sort of thing that is too corner-case to hardwire
into exim (yet) but which can benefit from having the tools.
--
Cheers,
Jeremy


This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] [Bug 864] DNSSEC Support[exim-dev] [Bug 1454] Adding option -oMm to supply message reference->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)