On Wednesday 17 December 2008, Wietse Venema wrote:
> klondike:
> > Bernhard Fischer escribi?:
> > > I'd like to use DNSSEC with Postfix.
> > > I did some research on the web but although DNSSEC is there nobody
> > > really cares about it.
> > > The most recent patch for Postfix is for release 2.3 and is based on
> > > libs (libval, libsres) I didn't find any download page for.
> > >
> > > Is there any recent development going on?
> >
> > Although I don't know wether there is actual development or not in
> > DNSSEC, you should bear on mind that there are still a lot of servers
> > which don't support DNSSEC, either because it is disabled, due to
> > problems with the proved denial of existence system used originaly, or
> > because the admins haven't updated the machine as DNS is a fairly
> > sensitive service.
> >
> > Said that, if postfix developers want to add DNSSEC support, although
> > that should be implemented on the name resolving libraries, I wouldn't
> > mind sharing my, scarce, knowledge on it.
>
> What are the application-visible changes? If one relies on BIND
> etc.  for validation, where does DNSSEC affect the application?
> Postfix uses the standard resolver library but these calls are
> entirely encapsulated in a single module.
>
>       Wietse


A resolver basically resolves a name to an IP, not more not less.
Resolving an IP with DNSSEC could lead to several different answers, i.e. a 
name could be resolved DNSSEC valid or invalid (wrong sigs).

As we all know, DNSSEC is not fully deployed yet, that's why I think an 
application should have the option to decide how to behave (if a response is 
either DNSSEC valid or INVALID).

Bernhard

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to