Re: [exim] Failing for DNSSEC lookup

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni
Date:  
À: exim-users
Sujet: Re: [exim] Failing for DNSSEC lookup
On Sun, Mar 20, 2022 at 08:35:48PM +0100, Christian Eyrich via Exim-users wrote:

> my exim installation is failing when I try forcing DNSSEC for DANE using
> "dnssec_require_domains" for any domain.
>
> dnslookup_secure router: defer for dnssectest1@???
>    message: host lookup done insecurely


> chris@momos:~$ unbound-host -vDr mailbox.org
> mailbox.org has address 80.241.60.194 (secure)
> [...]


Even if the local (unbound) resolver performs DNSSEC validation and
signals a secure result via the "AD" bit in the DNS reply, a
sufficiently recent "glibc" will suppress the AD bit unless
/etc/resolv.conf sets "trust-ad" resolver option:

    https://github.com/NLnetLabs/dnssec-trigger/issues/5#issuecomment-799847737


The most likely problem is that this is not set in your
/etc/resolv.conf file.

Note that you should not trust the "AD" bit from *remote* nameservers
whose replies to your libc stub resolver traverse insecure networks.
In practice this means that /etc/resolv.conf MUST ONLY contain the
127.0.0.1 and/or ::1 nameserver addresses.

-- 
    Viktor.