On Thu, Apr 24, 2014 at 02:35:39PM +0100, Jeremy Harris wrote:
> It's a tool in the toolbox, just like having explicit
> dnsdb lookups is.
>
> For example, I'm considering coding up some longterm tracking
> of sites I send to and their use of dnssec. I might want to
> ring alarm-bells if it's been stably there and goes away.
> This is the sort of thing that is too corner-case to hardwire
> into exim (yet) but which can benefit from having the tools.
Fair enough I guess. I don't find this too compelling, but it may
be of interest to some.
Are the results always logged? If the DNSSEC validation status
is not recorded for posterity then it is likely futile.
The documentation should not promise any significant security
advantages to turning this on. Some users may be misled into
thinking they're enabling a security feature, rather than an
audit-trail feature. For most users leaving such explicit DNSSEC
lookups off will be a sensible default.
--
Viktor.