On 24/04/14 14:21, Viktor Dukhovni wrote:
What is the purpose of explicit DNSSEC lookups outside the context
of DANE? The local validating resolver will by default trun bogus
DNS replies into ServFail, so all replies seen by Exim will be
either "secure" or explicitly opted out by the parent domain.
So it seems to me that there is little point in DNSSEC lookups
unless something meaningful can be done with the security status
of the response. With DANE you need the security status of the
MX, A/AAAA and associated TLSA RRsets. Otherwise, why explicit
DNSSEC in Exim?
It's a tool in the toolbox, just like having explicit
dnsdb lookups is.
For example, I'm considering coding up some longterm tracking
of sites I send to and their use of dnssec. I might want to
ring alarm-bells if it's been stably there and goes away.
This is the sort of thing that is too corner-case to hardwire
into exim (yet) but which can benefit from having the tools.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
