Maintained by: NLnet Labs

[Unbound-users] Google Public DNS

Joe Abley
Wed Mar 20 22:35:47 CET 2013

On 2013-03-20, at 17:06, Phil Pennock <unbound-users+phil at> wrote:

> On 2013-03-20 at 07:55 -0400, Joe Abley wrote:
>> I think if an application wants to _rely_ on DNSSEC, then it should be
>> setting the DO bit and the CD bit, and doing its own validation.
> This violates encapsulation and segregation of concerns.
> For an MTA with a caching validating resolver on localhost (since all
> but the validating part is common best practice today):
> If validation logic goes into an MTA, then the MTA needs to be updated
> to know about new signing algorithms, deal with yet more discovered
> flaws in DNSSEC handling, and generally process UDP data received over
> the network as the mail run-time user.

... or by linking against a libresolv type API that includes validation, under the hood.

> I don't see any way I'd be happy moving the rest of the validation logic
> into the MTA.  We let Unbound do what Unbound is good at, and trust it.
> Exim works _with_ other systems and is already pretty damned large for a
> security-sensitive component, without deciding we can't trust any other
> part of the OS and its facilities and replicating them internally.
> In fact, I'm going to go so far as to say "Hell no!" -- we won't be
> smoking that crack.