Re: [exim-dev] DANE

Page principale
Ce message fait partie du fil suivant :
MArborescence complète du fil triée par date
MViktor Dukhovni à <-
MViktor Dukhovni à ->
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-dev
Sujet: Re: [exim-dev] DANE
On 18/04/16 23:25, Viktor Dukhovni wrote:
>>>   * TLSA record lookup failures are not handled correctly.
>>>     If the host's A records are signed,

>>
>> Signed in what fashion?
>
> I should perhaps have said "DNSSEC validated", that is that the A
> records are in a "signed zone".
> 
>>>     then TLSA record lookup
>>>     failure must block connections to the host, whether dane is
>>>     "required" or not.  On the other hand, insecure TLSA records,
>>>     (CNAME to insecure zone perhaps) should simply be ignored.

You want to enforce that DANE is used any place DNSSEC is used?
Perhaps I misunderstand; this does not seem viable.
--
Cheers,
Jeremy



Ce message a été envoyé sur les listes de diffusion suivantes :
Exim-dev
Informations sur la liste de diffusion | Messages voisins		<-[exim-dev] [Bug 1820] spamd expurgate variant[exim-dev] [Bug 1819] Conditional configuration depending on exim version->
Tahini and Hummus and Cumin Development Archives administré par cumin AdminsLurker (version 2.3)