On 2013-03-20, at 17:06, Phil Pennock <[email protected]> wrote:
> On 2013-03-20 at 07:55 -0400, Joe Abley wrote: >> I think if an application wants to _rely_ on DNSSEC, then it should be >> setting the DO bit and the CD bit, and doing its own validation. > > This violates encapsulation and segregation of concerns. > > For an MTA with a caching validating resolver on localhost (since all > but the validating part is common best practice today): > > If validation logic goes into an MTA, then the MTA needs to be updated > to know about new signing algorithms, deal with yet more discovered > flaws in DNSSEC handling, and generally process UDP data received over > the network as the mail run-time user. ... or by linking against a libresolv type API that includes validation, under the hood. > I don't see any way I'd be happy moving the rest of the validation logic > into the MTA. We let Unbound do what Unbound is good at, and trust it. > Exim works _with_ other systems and is already pretty damned large for a > security-sensitive component, without deciding we can't trust any other > part of the OS and its facilities and replicating them internally. > > In fact, I'm going to go so far as to say "Hell no!" -- we won't be > smoking that crack. :-) Joe _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
