On 2013-03-15 at 03:26 -0400, Phil Pennock wrote: > As prep work for perhaps one day finishing the DNSSEC support in Exim, > I've gotten testdns.exim.org being served with DNSSEC signatures (with > NSEC3 support).
*If* you configure a manual trust-anchor, as defined in that file, then you'll be unable to visit: http://www.invalid254.testdns.exim.org/ For most of the Internet's population, where most is "all but one, or perhaps two, people", that hostname resolves just fine. Once we can get exim.org signed, one day, that will invert so that anyone with a validating resolver will not be able to visit that site. Why bother? Because if I'm going to test DNSSEC logic in Exim, I need to have hostnames that explicitly _fail_ DNSSEC validation, so that I can ensure not just that I haven't broken things that should work, but that I have successfully broken things that should not work. In this case, I simply included DS records for invalid254.testdns.exim.org in the parent zone, testdns.exim.org, and put DNSKEY records into the zone, but have not signed it, so there are no NSEC/NSEC3 records. Combine with the signing policy on testdns.exim.org not allowing for child opt-outs, and that was all that's needed. Separately: I saw from logs that someone on tahini tried to AXFR testdns.exim.org from us0ns.globnix.net, a secondary, instead of the primary (nlns.globnix.net). ACLs on the secondary updated to allow that too. -Phil
pgpRvrpvDU65O.pgp
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
