On 31. 01. 22 11:50, Tony Finch wrote:
2. Should sendmail not be trusting the AD bit in replies from the admin
configured (i.e., trusted by admin) resolvers?
It's dangerous territory. Sendmail isn't alone: for example, OpenSSH also
relies on the AD bit to validate SSHFP records. But using AD is only safe
if the validating resolver is running on localhost. Unfortunately the
portable subset of the resolver API doesn't allow programs to check their
recursive server addresses, so they just have to hope that they have been
configured by a careful person. (On a mail server there are also
performance reasons for running a local resolver, so I guess you are OK in
this respect.)
Let me add one more detail. To make this more explicit, glibc since 2.31
added "options trust-ad" into resolv.conf. See
https://man7.org/linux/man-pages/man5/resolv.conf.5.html and search for
trust-ad.
I hope it helps.
--
Petr Špaček @ Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
