Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages

Tue, 08 Apr 2014 12:50:37 -0700 

On 08/04/14 19:57, Viktor Dukhovni wrote:

On Sun, Apr 06, 2014 at 02:38:07PM +0100, Jeremy Harris wrote:


We'll be chasing the glibc issue separately, but exim might workaround by
either flipping the dnssec bit only while needed or by converting all
current use of gethostby* to use the newer res_search().


Strong suggestion:

     - Do not permanently change the global resolver options, this can break
       various other libraries Exim might be linked with (LDAP, MySQL, ...).
       Rather set and restore resolver options around each call (Exim is
       not multi-threaded AFAIK).


Fair point.



     - Do use getnameinfo() instead of gethostbyaddr() to perform address to
       name lookups


Agreed, but low-priority given:

>  I would not recomment using DNS directly as this breaks

       systems that rely in part on /etc/hosts or other local nsswitch
       mechanisms.


Disagree.  Exim does exactly that; I assume it has done for some
time, and changing it is more likely to break things.



Under the covers, if the address is on the public Internet, and
requires DNS lookups for resolution, if the local resolver is
configured to do DNSSEC, it will be validated.  There is like at
this time no reason for Exim to explicitly distinguish DNSSEC
validated IP addresses from those that were obtained from unsigned
zones.  Therefore, if the goal is to simply filter out forgeries, the
nameserver will already discard "bogus" results.

In addition, PTR records by themselves are not trustworthy anyway
until they are forward resolved and determined to match the query
address.  If you really want DNSSEC, you can apply it on the forward
lookup, it is unlikely that in-addr.arpa will be signed any time
soon.



ip6.arpa is - and I'd never have known if exim wasn't able to
distinguish:

$ dig +dnssec -x 2001:630:212:8::e:f40
[...]
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[...]
;; ANSWER SECTION:
0.4.f.0.e.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa. 86176 IN PTR ppsw-40-v6.csi.cam.ac.uk. 0.4.f.0.e.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa. 86176 IN RRSIG PTR 5 34 86400 20140423220159 20140325152738 54825 1.2.0.0.3.6.0.1.0.0.2.ip6.arpa. DKLZfRxjP/w9OMmtvI7viBKnsOZcDA1KwnyB76ph2BIqM0DXRuzb04Xz oFnJJNZW6UG7VLk6FurvFL/8IfqdigGH4JjpHZ6r9CZfwxAi0tN/1RsN /DqiYlusf8fVAnm6WHjB4dcfg8wXqHr1HsIRrz5e4aM= 



Note the "ad" set in flags.
--
Cheers,
   Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to