|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bernhard Fischer (bf
abenteuerland.at)
Date: Sat Dec 20 2008 - 02:27:21 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wednesday 17 December 2008, Wietse Venema wrote:
> klondike:
> > Bernhard Fischer escribi?:
> > > I'd like to use DNSSEC with Postfix.
> > > I did some research on the web but although DNSSEC is there nobody
> > > really cares about it.
> > > The most recent patch for Postfix is for release 2.3 and is based on
> > > libs (libval, libsres) I didn't find any download page for.
> > >
> > > Is there any recent development going on?
> >
> > Although I don't know wether there is actual development or not in
> > DNSSEC, you should bear on mind that there are still a lot of servers
> > which don't support DNSSEC, either because it is disabled, due to
> > problems with the proved denial of existence system used originaly, or
> > because the admins haven't updated the machine as DNS is a fairly
> > sensitive service.
> >
> > Said that, if postfix developers want to add DNSSEC support, although
> > that should be implemented on the name resolving libraries, I wouldn't
> > mind sharing my, scarce, knowledge on it.
>
> What are the application-visible changes? If one relies on BIND
> etc. for validation, where does DNSSEC affect the application?
> Postfix uses the standard resolver library but these calls are
> entirely encapsulated in a single module.
>
> Wietse
A resolver basically resolves a name to an IP, not more not less.
Resolving an IP with DNSSEC could lead to several different answers, i.e. a
name could be resolved DNSSEC valid or invalid (wrong sigs).
As we all know, DNSSEC is not fully deployed yet, that's why I think an
application should have the option to decide how to behave (if a response is
either DNSSEC valid or INVALID).
Bernhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAABAgAGBQJJTKxqAAoJEB2of8NcX/1H1hgH/iPo0k2Usf9BxJWdfj2KnOye
b1Mkf42oqQ2PWvDHTZ5HXUGOKvi809mwSV34t9vU4ghIAJLIoSXCtn1qjhu55yej
NJq4n7cUvI68ru4KWGX/FtmjbneeUAr1BcA8z1HbT0EhTaU1+my3z9Iapxc+jnTV
Buc/71S8b1ZiWreZ7mDRpmogQdmjHVHRJmBdhULvQDSfftv5HkOOMk0PxtdDFUF3
8yA0Lm79Hyw/s8cnDglstZsETQwXi93qsQJJj7YxlmpWf1TMeRj4n7RmrkQU1D0W
ex1RiR5ozv9Z2Vgeq9Zuf72irGUoKZcM4B68zxtuM2VsWTtuXn7RS+EuMgt9vVw=
=ZbVP
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]