Jeremy Harris <[email protected]> (Di 08 Apr 2014 21:49:34 CEST): > On 08/04/14 20:28, Heiko Schlittermann wrote: > >Viktor Dukhovni <[email protected]> (Di 08 Apr 2014 20:57:43 CEST): > >… > >> - Do use getnameinfo() instead of gethostbyaddr() to perform address to > >> name lookups. I would not recomment using DNS directly as this > >> breaks > >> systems that rely in part on /etc/hosts or other local nsswitch > >> mechanisms. > > > >+1 > > > >>Under the covers, if the address is on the public Internet, and > >>requires DNS lookups for resolution, if the local resolver is > >>configured to do DNSSEC, it will be validated. There is like at > >>this time no reason for Exim to explicitly distinguish DNSSEC > >>validated IP addresses from those that were obtained from unsigned > >>zones. Therefore, if the goal is to simply filter out forgeries, the > >>nameserver will already discard "bogus" results. > > > >But does the client application have a way to tell if the getnameinfo() > >result is validated? Or failed because of a failed validation? > > No - or at least I'm not aware of one.
How should Exim implement DANE or other trust related things if there is no way to know about the trustworthyness (?) of just a DNS answer. I can imagine, that some day the libc resolver can set a flag 'validated', and, if failed, tell a bit more than 'host not found', may be something like 'signature expired', 'signature broken'… If I understand well, Exim needs to use the DNS directly, MX lookups, SRV lookup and the like is nothing getnameinfo() & co can do for us. If Exim gets the MX name from DNS, what do I expect for the MX name's IP? DNS too, or obeying nsswitch.conf by using the libc resolver? How trustworthy is an address I got from /etc/hosts? (But nss and the libc resolver won't tell me the origin of the address anyway.) Just loudly thinking, I do not expect any answer :) -- Heiko
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
