> On Jul 27, 2016, at 3:35 PM, John C Klensin <john-i...@jck.com> wrote: > > Keep in > mind that a CNAME can point anywhere in the tree and that, in > the general case (the SMTP requirement that the > originally-specified domain appear in RCPT and that only final > names (no aliases) can appear in some other places is an > exception, applications may not find out the original name and > the DNS provides no "came from" function. In that kind of > situation, _especially_ in that kind of situation, one would > really like an integrity check on DNS replies to validate the > aliases including the technical and policy legitimacy of the > pointer relationship, not just that the label, RRTYPE, data, > etc., are what existed in the relevant authoritative server (and > that it _is_ the authoritative server).
My expectations of DNSSEC are more modest, I seek only MITM resistance. Just a different perspective on the same facts, so your explanation was helpful and sufficient, thanks. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/