On Thu, Sep 10, 2015 at 08:57:50PM +0200, Michael Ströder wrote:
> > One might also imagine an alternative interface:
> >
> > example.com secure match=nexthop:dot-nexthop:dnssec-hostname
> >
> > Where "dnssec-hostname" matches the hostname only if securely
> > obtained. This would not require secure MX RRsets, but would make
> > use of them to "improve" PKIX name matching when present.
>
> Maybe I do not fully understand what you're saying.
Indeed you did not understand. "Securely obtained" means obtained
from a "secure" MX RRset.
> Mainly it's the MX lookup what I'm concerned about.
That's what the alternative feature does, it makes MX hostnames
available *only* when they are resistant against active attacks.
But in this variant there is no requirement for dnssec. Rather,
without DNSSEC only names related to the nexthop domain are checked,
and "insecure" MX hostnames are not.
I think the second way is more broadly useful.
--
Viktor.
