Re: [exim] How can I establish that DANE is working correctl…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMViktor Dukhovni at <-
MMViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] How can I establish that DANE is working correctly?
On 25/04/17 14:51, Viktor Dukhovni wrote:
> I might also mention that Exim's DANE support is not yet feature-complete.
> It is still vulnerable to active downgrade attacks by tampering with the
> TLSA RRset in DNS responses. When TLSA lookups fail, Exim continues without
> DANE, while RFC7672 explains that DANE clients need to skip the associated
> MX host in that case in order to avoid downgrade attacks.

How many of the set of MXs should that suggestion be applied to?

If "all", how should the MTA distinguish the situation from
"there really were no TLSAs, and the responding DNS is faulty" ?
--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] How can I establish that DANE is working correctly?Re: [exim] How can I establish that DANE is working correctly?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)