> On Sep 4, 2018, at 8:52 AM, Jeremy Harris via Exim-users <exim-users@???> wrote:
>
> As the docs say:
>
> "DANE-TA usage is effectively declaring a specific CA to be used; this
> might be a private CA or a public, well-known one."
>
> That CA needs to be known by the Exim configuration.
Sorry, that's simply wrong. Exim MUST support validation via
DANE-TA(2) trust-anchors that ARE NOT configured locally. Indeed
Exim SHOULD ignore the local trust-anchors when validating usage
DANE-TA(2) TLSA records. All that's required is that the remote
server include the trust-anchor certificate in its TLS certificate
message.
If Exim is to claim DANE support it MUST either correctly handle
non-public trust-anchors, or else MUST ignore "unusable" TLSA
RRsets that contain DANE-TA(2) TLSA records. Indeed even "mixed"
TLSA RRsets with some DANE-EE(3) records and some DANE-TA(2)
records should probably be ignored until this issue (if not user
error), because quite often only the DANE-TA(2) records are valid.
My advice to the user would be to use a version of Exim that
is linked with OpenSSL and NOT GnuTLS. The Exim DANE support
in combination with GnuTLS is not nearly as well tested or
supported.
--
Viktor.