* Ted Cooper: > DNSSEC just makes sure that the answers received in DNS lookups are > valid
Yes. > and came from the right place. Doesn't it? No. The transport isn't secured at all. That's why the protocol is so complex, and somewhat operationally challenging with current software. > I would have thought the responsibility for doing DNS lookups and > validating them would fall to the resolver library. In the event there > is a DNSSEC failure, the resolver simply returns SERVFAIL or lookup > fail. The normal Exim behaviour when this happens is dependant on where > it was called. Client-side validation in short-lived processes does not work that well because you'd have to walk back the chain of delegation to a trust anchor, fetching DS and DNSKEY RRs at each point and performing an RSA operation. You have to repeat the process for each MX host, so for domains like exim.org (domain and all MXs in different TLDs), this can be quite a bit of work. Usually, the costs are reduced by caching, but if you use a process-specific validator in a short-lived process, the efficiency of the cache is greatly reduced. (I can't find the Postfix and Sendmail patches, BTW, so I don't know what they are doing.) -- Florian Weimer <[email protected]> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
