> On Mar 23, 2020, at 8:54 AM, daniel via Exim-users <exim-users@???> wrote:
>
> We recently received many of our end users complains that they are having problem sending email to *.gov.hk with this exim error:
> DANE ERROR: TLSA LOOKUP DEFER
> However we have contacted our government and their responds is:
> “Our DNSSEC setup is fine, and it is not nesserary to have DANE setup together with DNSSEC , so it is the exim MTA problem. We have not actually setup DANE “
> Now here comes the problem: how can we solve this problem passively? We have many cPanel server with Exim.
Would it help if one of the authors of the DANE RFC (e.g. yours truly)
would write to them explaining that they are mistaken, and in fact their
DNSSEC is broken, and does affect many sending domains, and it is impractical
for all the senders to work around their misconfiguration.
Do you have specific .gov.hk example domains you're at liberty to mention?
None are on my list of domains with TLSA lookup breakage. So before I
make a fool of myself writing to them (you'd have to provide a contact
who'd be willing to discuss the issue in English) I'd prefer to double-check
that the issue is indeed on their end.
--
Viktor.
