On 08/04/14 20:28, Heiko Schlittermann wrote:
Viktor Dukhovni <[email protected]> (Di 08 Apr 2014 20:57:43 CEST):
…
- Do use getnameinfo() instead of gethostbyaddr() to perform address to
name lookups. I would not recomment using DNS directly as this breaks
systems that rely in part on /etc/hosts or other local nsswitch
mechanisms.
+1
Under the covers, if the address is on the public Internet, and
requires DNS lookups for resolution, if the local resolver is
configured to do DNSSEC, it will be validated. There is like at
this time no reason for Exim to explicitly distinguish DNSSEC
validated IP addresses from those that were obtained from unsigned
zones. Therefore, if the goal is to simply filter out forgeries, the
nameserver will already discard "bogus" results.
But does the client application have a way to tell if the getnameinfo()
result is validated? Or failed because of a failed validation?
No - or at least I'm not aware of one.
--
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
