On 18/04/16 23:25, Viktor Dukhovni wrote: >>> * TLSA record lookup failures are not handled correctly. >>> If the host's A records are signed, >> >> Signed in what fashion? > > I should perhaps have said "DNSSEC validated", that is that the A > records are in a "signed zone". > >>> then TLSA record lookup >>> failure must block connections to the host, whether dane is >>> "required" or not. On the other hand, insecure TLSA records, >>> (CNAME to insecure zone perhaps) should simply be ignored.
You want to enforce that DANE is used any place DNSSEC is used? Perhaps I misunderstand; this does not seem viable. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
