> Slightly OT, but other than setting up my own DNS caching resolver, what are
> the
> alternatives to these sort of public services? In particular, is there one
> that
> won't do this when DNSSEC fails?
This question is fundamentally why DNSSEC has trouble gaining traction. If you
are interested in DNS still giving answers even when security may be
compromised, then you are not interested in DNSSEC. It’s primary benefit is to
fail closed and give no answer rather than to fail open and give a possibly
mangled or modified answer.
If you really care about e-mail privacy and authenticity, use S/MIME and PKI or
PGP. That’s where encryption and validation SHOULD be handled. It’s the only
place where the user is ready to handle the non-optimal failure cases like
expired certificates.
And you can see if e-mail you received was encrypted when sent to your server
by looking at the headers. It’s a dying art form, I know, but it’s in there.
Yay headers.
"accept for domain <validcrt> relay tls verify” - for domains you care about
is a really sweet option that I will be implementing shortly. Thanks for the
example.
ED.
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
