Wietse Venema escribió: > klondike: > >> Bernhard Fischer escribi?: >> >>> I'd like to use DNSSEC with Postfix. >>> I did some research on the web but although DNSSEC is there nobody really >>> cares about it. >>> The most recent patch for Postfix is for release 2.3 and is based on libs >>> (libval, libsres) I didn't find any download page for. >>> >>> Is there any recent development going on? >>> >>> >> Although I don't know wether there is actual development or not in >> DNSSEC, you should bear on mind that there are still a lot of servers >> which don't support DNSSEC, either because it is disabled, due to >> problems with the proved denial of existence system used originaly, or >> because the admins haven't updated the machine as DNS is a fairly >> sensitive service. >> >> Said that, if postfix developers want to add DNSSEC support, although >> that should be implemented on the name resolving libraries, I wouldn't >> mind sharing my, scarce, knowledge on it. >> > > What are the application-visible changes? If one relies on BIND > etc. for validation, where does DNSSEC affect the application? > Postfix uses the standard resolver library but these calls are > entirely encapsulated in a single module. > > Wietse Its a confidence thing over all. You can be more sure of the correctness of a signed, authoritative DNS answer than of a unsigned one. Suposedly, the lookup library should ignore the answers with an invalid signature or those unsigned when the server certifies it could use DNSSEC. Anyway, there are some attacks based on DNS poisoning which could affect the mail system, as an example, you can imagine a spammer who sends fake SPF RRs to various DNS servers forging the origin IP so the MTAs would accept as legit the mail it sends. There are, also, other more dangerous attacks like a man in the middle which I will not expose here.
Of course, a properly signed SPF RR is more trustable than an unsigned one and you can be mostly sure a signed RR is valid. Francisco Blas Izquierdo Riera Developer of Kontinuidad Jabata
signature.asc
Description: OpenPGP digital signature
