Re: [exim] How can I establish that DANE is working correctl…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] How can I establish that DANE is working correctly?
On 25/04/17 14:51, Viktor Dukhovni wrote:
> I might also mention that Exim's DANE support is not yet feature-complete.
> It is still vulnerable to active downgrade attacks by tampering with the
> TLSA RRset in DNS responses. When TLSA lookups fail, Exim continues without
> DANE, while RFC7672 explains that DANE clients need to skip the associated
> MX host in that case in order to avoid downgrade attacks.


How many of the set of MXs should that suggestion be applied to?

If "all", how should the MTA distinguish the situation from
"there really were no TLSAs, and the responding DNS is faulty" ?
--
Cheers,
Jeremy