[Unbound-users] Google Public DNS
Joe Abley
jabley at hopcount.ca
Wed Mar 20 21:35:47 UTC 2013
On 2013-03-20, at 17:06, Phil Pennock <unbound-users+phil at spodhuis.org> wrote:
> On 2013-03-20 at 07:55 -0400, Joe Abley wrote:
>> I think if an application wants to _rely_ on DNSSEC, then it should be
>> setting the DO bit and the CD bit, and doing its own validation.
>
> This violates encapsulation and segregation of concerns.
>
> For an MTA with a caching validating resolver on localhost (since all
> but the validating part is common best practice today):
>
> If validation logic goes into an MTA, then the MTA needs to be updated
> to know about new signing algorithms, deal with yet more discovered
> flaws in DNSSEC handling, and generally process UDP data received over
> the network as the mail run-time user.
... or by linking against a libresolv type API that includes validation, under the hood.
> I don't see any way I'd be happy moving the rest of the validation logic
> into the MTA. We let Unbound do what Unbound is good at, and trust it.
> Exim works _with_ other systems and is already pretty damned large for a
> security-sensitive component, without deciding we can't trust any other
> part of the OS and its facilities and replicating them internally.
>
> In fact, I'm going to go so far as to say "Hell no!" -- we won't be
> smoking that crack.
:-)
Joe
More information about the Unbound-users
mailing list