On 31. 01. 22 11:50, Tony Finch wrote:
2. Should sendmail not be trusting the AD bit in replies from the admin
configured (i.e., trusted by admin) resolvers?
It's dangerous territory. Sendmail isn't alone: for example, OpenSSH also
relies on the AD bit to validate SSHFP records. But using AD is
Gregory Shapiro via bind-users wrote:
>
> Two questions:
Slightly expanding on Mark's answers...
> 1. Is there a reason when BIND is running as both a recursive server and
> an authoritative server for a domain, it doesn't set the AD bit when
> answering resolver queries for one of its
> On 31 Jan 2022, at 10:45, Gregory Shapiro via bind-users
> wrote:
>
> sendmail's implementation of DANE determines whether DNSSEC validation was
> successful based on the presence of the AD bit in the response to the DANE
> record lookup.
>
> An equivalent dig lookup would be:
>
>
sendmail's implementation of DANE determines whether DNSSEC validation was
successful based on the presence of the AD bit in the response to the DANE
record lookup.
An equivalent dig lookup would be:
% dig TLSA _25._tcp.smtp.gshapiro.net.
...
;; Got answer:
;; ->>HEADER<<-
4 matches
Mail list logo