Re: [exim] How can I establish that DANE is working correctl…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] How can I establish that DANE is working correctly?
On 25/04/17 14:51, Viktor Dukhovni wrote:
> I might also mention that Exim's DANE support is not yet feature-complete.
> It is still vulnerable to active downgrade attacks by tampering with the
> TLSA RRset in DNS responses. When TLSA lookups fail, Exim continues without
> DANE, while RFC7672 explains that DANE clients need to skip the associated
> MX host in that case in order to avoid downgrade attacks.


How many of the set of MXs should that suggestion be applied to?

If "all", how should the MTA distinguish the situation from
"there really were no TLSAs, and the responding DNS is faulty" ?
--
Cheers,
Jeremy