Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Bernhard Fischer (bfabenteuerland.at)
Date: Sat Dec 20 2008 - 02:27:21 CST
On Wednesday 17 December 2008, Wietse Venema wrote:
> > Bernhard Fischer escribi?:
> > > I'd like to use DNSSEC with Postfix.
> > > I did some research on the web but although DNSSEC is there nobody
> > > really cares about it.
> > > The most recent patch for Postfix is for release 2.3 and is based on
> > > libs (libval, libsres) I didn't find any download page for.
> > >
> > > Is there any recent development going on?
> > Although I don't know wether there is actual development or not in
> > DNSSEC, you should bear on mind that there are still a lot of servers
> > which don't support DNSSEC, either because it is disabled, due to
> > problems with the proved denial of existence system used originaly, or
> > because the admins haven't updated the machine as DNS is a fairly
> > sensitive service.
> > Said that, if postfix developers want to add DNSSEC support, although
> > that should be implemented on the name resolving libraries, I wouldn't
> > mind sharing my, scarce, knowledge on it.
> What are the application-visible changes? If one relies on BIND
> etc. for validation, where does DNSSEC affect the application?
> Postfix uses the standard resolver library but these calls are
> entirely encapsulated in a single module.
A resolver basically resolves a name to an IP, not more not less.
Resolving an IP with DNSSEC could lead to several different answers, i.e. a
name could be resolved DNSSEC valid or invalid (wrong sigs).
As we all know, DNSSEC is not fully deployed yet, that's why I think an
application should have the option to decide how to behave (if a response is
either DNSSEC valid or INVALID).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----