On 07/07/2024 17:10, Viktor Dukhovni via Exim-users wrote:
> What the server's TLSA records in that case?
(testsuite syntax, but you get the gist)
DNSSEC mxdane512ee MX 1 dane512ee
DNSSEC dane512ee A HOSTIPV4
DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 e8173aaefffadc6c96700f7f396a17b8e590ebd15b081f1455abb152afecceb16a5534707ecd64611c8b6d8b9111f82e3fa954b98c6b230cda0e9be386747b71
> Could the use of SNI
> depend on usage DANE-EE(3).
> In this case all the TLSA records are "2 1 1".
> Also the TLSA records are behind a CNAME
With a (single) 2 1 1 TLSA behind a CNAME, we still record an SNI having been presented:
DNSSEC mxdane256tak MX 1 dane256tak
DNSSEC dane256tak A HOSTIPV4
DNSSEC _1225._tcp.dane256tak CNAME _tlsa._tcp.dane256tak
DNSSEC _tlsa._tcp.dane256tak TLSA 2 1 1 beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1
Server log line:
1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmbA-000000005vi-0000@??? for t1@???
^^^^^^^^^^^^^^^^^^^^^^
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
