On Wednesday 17 December 2008, Wietse Venema wrote: > klondike: > > Bernhard Fischer escribi?: > > > I'd like to use DNSSEC with Postfix. > > > I did some research on the web but although DNSSEC is there nobody > > > really cares about it. > > > The most recent patch for Postfix is for release 2.3 and is based on > > > libs (libval, libsres) I didn't find any download page for. > > > > > > Is there any recent development going on? > > > > Although I don't know wether there is actual development or not in > > DNSSEC, you should bear on mind that there are still a lot of servers > > which don't support DNSSEC, either because it is disabled, due to > > problems with the proved denial of existence system used originaly, or > > because the admins haven't updated the machine as DNS is a fairly > > sensitive service. > > > > Said that, if postfix developers want to add DNSSEC support, although > > that should be implemented on the name resolving libraries, I wouldn't > > mind sharing my, scarce, knowledge on it. > > What are the application-visible changes? If one relies on BIND > etc. for validation, where does DNSSEC affect the application? > Postfix uses the standard resolver library but these calls are > entirely encapsulated in a single module. > > Wietse
A resolver basically resolves a name to an IP, not more not less. Resolving an IP with DNSSEC could lead to several different answers, i.e. a name could be resolved DNSSEC valid or invalid (wrong sigs). As we all know, DNSSEC is not fully deployed yet, that's why I think an application should have the option to decide how to behave (if a response is either DNSSEC valid or INVALID). Bernhard
signature.asc
Description: This is a digitally signed message part.