Re: [exim-dev] DANE

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Subject: Re: [exim-dev] DANE
On 18/04/16 23:25, Viktor Dukhovni wrote:
>>>   * TLSA record lookup failures are not handled correctly.
>>>     If the host's A records are signed,

>>
>> Signed in what fashion?
>
> I should perhaps have said "DNSSEC validated", that is that the A
> records are in a "signed zone".
>
>>>     then TLSA record lookup
>>>     failure must block connections to the host, whether dane is
>>>     "required" or not.  On the other hand, insecure TLSA records,
>>>     (CNAME to insecure zone perhaps) should simply be ignored.


You want to enforce that DANE is used any place DNSSEC is used?
Perhaps I misunderstand; this does not seem viable.
--
Cheers,
Jeremy