Re: [exim] DANE ERROR: TLSA LOOKUP DEFER

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Viktor Dukhovni
Fecha:  
A: exim-users
Asunto: Re: [exim] DANE ERROR: TLSA LOOKUP DEFER
On Tue, Mar 31, 2020 at 12:04:06PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/03/2020 07:50, daniel via Exim-users wrote:


> > And is exim
> > by default will try DANE on all hosts or not? Because i dont found 
> > these two configs in the exim config currently.
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html#index_concept_D


Jeremy, there is perhaps a cut-n-paste error in the SMTP transport variable docs:

    http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146


The text for "hosts_require_dane" and "hosts_try_dane" reads the same:

    hosts_require_dane  Use: smtp   Type: host list†    Default: unset


        If built with DANE support, Exim will require that a DNSSEC-validated
        TLSA record is present for any host matching the list, and that a
        DANE-verified TLS connection is made. See the dnssec_request_domains
        router and transport options. There will be no fallback to in-clear
        communication. See section 43.15. 


    hosts_try_dane  Use: smtp   Type: host list†    Default: *


        If built with DANE support, Exim will require that a DNSSEC-validated
        TLSA record is present for any host matching the list, and that a
        DANE-verified TLS connection is made. See the dnssec_request_domains
        router and transport options. There will be no fallback to in-clear
        communication. See section 43.15. 


But, presumably, with the "try" variant, the TLSA RRs are not actually
required, and DANE is applied only when TLSA RRs are present
(RFC7672-style opportunistic DANE TLS).

--
    Viktor.