[exim-dev] [Bug 2704] DANE client-side documentation issues

Top Page
This message is part of the following thread:
M+++++++++\the complete thread tree sorted by date
MMMMMMMMMMMadmin at <-
.....M.M 
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2704] DANE client-side documentation issues
https://bugs.exim.org/show_bug.cgi?id=2704

--- Comment #10 from Andreas Metzler <eximusers@???> ---
(In reply to Jeremy Harris from comment #4)
[...]

How about updating spec as follows?
----------------------
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 6ce9d87da..16ef527bd 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -30109,13 +30109,21 @@ those who use &%hosts_require_ocsp%&, should consider
the interaction with DANE

For client-side DANE there are three new smtp transport options,
&%hosts_try_dane%&, &%hosts_require_dane%&
and &%dane_require_tls_ciphers%&.
-The &"require"& variant will result in failure if the target host is not
-DNSSEC-secured. To get DNSSEC-secured hostname resolution, use
+The &"require"& variant will result in failure if DANE verification of the
+certificate fails or is not possible, like e.g. if the target host is not
+DNSSEC-secured. On the other hand &%hosts_try_dane%& will fall back to
+non-DANE if any of the necessary pre-conditions up to and including
+DNSSEC-secured lookup of the TLSA record are not met. - It will still fail
+without fallback to non-DANE if the preconditions are met but the server
+certificate cannot be verified against the data in the TLSA record.
+To get DNSSEC-secured hostname resolution, use
the &%dnssec_request_domains%& router or transport option.

DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA
records.

-A TLSA lookup will be done if either of the above options match and the
host-lookup succeeded using DNSSEC.
+A TLSA lookup will be done if either &%hosts_try_dane%& or
+&%hosts_require_dane%& options match (DANE "requested") and the host-lookup
+succeeded using DNSSEC.
If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
----------------------

It is not perfect since there is some duplicate information which is spelled
out more verbose later but it imho it clarifies things quite a bit.

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 2704] DANE client-side documentation issues[exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)