Folks, As prep work for perhaps one day finishing the DNSSEC support in Exim, I've gotten testdns.exim.org being served with DNSSEC signatures (with NSEC3 support).
Unfortunately, the exim.org hoster can't take DS records safely (we'd have to switch to bind format, and even then it would be dangerous, since they reject DNS/TCP and so large responses risk breaking resolution). Indeed, I can't even add testdns.exim.org to dlv.isc.org because the lack of TCP support breaks their verification system. So, in the mean-time, if you want to test DNSSEC with entries from testdns.exim.org, you'll have to manually add a zone trust anchor you your verifying resolver. This PGP-signed email serves as evidence/notification of the trust anchor in use. Because this is a test zone, the only people affected by stale anchors will be people debugging Exim in the presence of DNSSEC, so it's not too bad to have random resolver configs having this key in them. *cough* You either want DS keys or the DNSKEY for your setup. testdns.exim.org. IN DS 26805 7 1 7437B150A8E7CA7E10581CBD878AC63FC2871F00 testdns.exim.org. IN DS 26805 7 2 4DA3410D5A84C4025132A9F54DADC664E3F95B80C9962A156689A202 3DAF5507 testdns.exim.org. IN DNSKEY 257 3 7 AwEAAc5ohRTM6+7LtFaTnJN6aqTfoCve8DSCysD/qBaaZTb2N3xgnxqB KOAMVgD1ETLDQW03UaipyptdSncJPo2Sd3Mtcmd80zldKUAfAmSPN8C4 TMM8LEYjCyJ77PD6PVj24e836dMI9MzktkfSQKutTgyhi2SJcqn/SGRf 2O29S7+NcZ0ABehq1HKMFhhRM27KnpLQMww2KjeB9822EPyd+sWNMNMd IdvrIkdNGNPzWdK1UnCnFkgUJ0oszRCs5tJKCJhO7Bh0Yj7hIRdsH2Vf wZ/F4aB0jptxz+bFt9upEOWYDIhnmWxyLS1jThyfddzMzVHth6DutJgf v7ASDXhe88c= In unbound.conf, the validating resolver I use, it's as simple as a "trust-anchor:" directive in the "server:" block. $ dig +dnssec -t a mx4.valid254.testdns.exim.org If that sets the "ad" flag in the response header, you have verification working and the trust anchor in place. Regards, -Phil
pgpfAehF0m3WE.pgp
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
