On Sat, Mar 06, 2021 at 11:04:57PM +0000, admin--- via Exim-dev wrote:
> https://bugs.exim.org/show_bug.cgi?id=2704
>
> --- Comment #5 from Simon Arlott <bugzilla.exim.simon@???> ---
> I'd want to do DANE for all hosts that are DNSSEC signed but not require it
> otherwise.
This makes no sense. On what basis would you expect to have TLSA
records for all MX hosts in DNSSEC-signed zones?
> There doesn't appear to be a way to require DANE if there's a signed TLSA
> result without also refusing connections when the host lookup is not signed.
You appear to be confused. DANE is *required* when there are signed
DANE TLSA records.
> I'd expect that if the host lookup is signed, the TLSA result must be signed
> (either present or not present) and then strictly followed.
That's not always true. Some zones have "insecure" denial of existence
via NSEC3 opt-out. Also, the TLSA qname could be a CNAME (perhaps
wildcard synthesised) into an unsigned zone.
> As described above, "hosts_try_dane = *" is insecure if the TLSA
> result is unsigned.
If there are no signed TLSA records, then DANE is not enforced. That's
correct. There's not much point in honouring unsigned TLSA records,
they're supposed to defend against *active* attacks. For passive
monitoring, just STARTTLS is enough. Active on-path attackers can just
return forged TLSA replies matching the certs of their MiTM stack.
--
Viktor.
