https://bugs.exim.org/show_bug.cgi?id=2704
--- Comment #5 from Simon Arlott <bugzilla.exim.simon@???> ---
I'd want to do DANE for all hosts that are DNSSEC signed but not require it
otherwise.
(In reply to Jeremy Harris from comment #4)
> if (host lookup was dnssec)
> if (require dane or try dane)
> do TLSA lookup
> if (succeed TLSA)
> if (TLSA lookup was dnssec)
> require DANE-verified TLS connection
> else
> if (require dane)
> do not make connection
I'd need to set "hosts_require_dane = *" to get here.
> else /* try dane */
> ordinary connection
> elif (nodata TLSA) /* or NOMATCH */
> if (require dane)
> do not make connection
If this is signed then the NXDOMAIN is ok and it could proceed with
opportunistic TLS.
> else
> ordinary connection
> else (fail lookup TLSA)
> do not make connection
> else
> if (require dane)
> do not make connection
If I set "hosts_require_dane = *" then I end up here but I don't want that.
> else /* try_dane, or unspecified */
> ordinary connection
There doesn't appear to be a way to require DANE if there's a signed TLSA
result without also refusing connections when the host lookup is not signed.
I'd expect that if the host lookup is signed, the TLSA result must be signed
(either present or not present) and then strictly followed. As described above,
"hosts_try_dane = *" is insecure if the TLSA result is unsigned and
"hosts_require_dane = *" is too strict for general use.
--
You are receiving this mail because:
You are on the CC list for the bug.
