Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > On Mon, Jul 31, 2017 at 05:11:07PM +0000, Evan Hunt wrote: > > > Are there applications specifically trusting AD=1 and behaving differently > > than with AD=0? > > On Mon, Jul 31, 2017 at 02:16:37PM -0400, Paul Wouters wrote: > > > Postfix is one but last I knew only when resolv contains localhost. > > Not only Postfix, also Exim, and perhaps also Sendmail some day > if/when DANE support appears there,
And ssh can be configured to use the AD bit for SSHFP authentication. There are a few alternatives for ssh + DNSSEC and they interact in ways that are not always ideal - see http://fanf.livejournal.com/130577.html > The AD bit is exactly the right DNSSEC interface. All that's > missing from the traditional libresolv (and not missing from recent > innovations in res_ninit(), res_nsearch(), ...) is the ability to > specify the loopback address as the sole resolver in the application. Yep. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Forties, Cromarty: South 3 or 4, backing east 5 or 6, becoming cyclonic, then southwest 4 or 5 later. Slight becoming moderate. Rain or showers. Moderate or good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
