https://bugs.exim.org/show_bug.cgi?id=2704
--- Comment #10 from Andreas Metzler <[email protected]> --- (In reply to Jeremy Harris from comment #4) [...] How about updating spec as follows? ---------------------- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 6ce9d87da..16ef527bd 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -30109,13 +30109,21 @@ those who use &%hosts_require_ocsp%&, should consider the interaction with DANE For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%& and &%dane_require_tls_ciphers%&. -The &"require"& variant will result in failure if the target host is not -DNSSEC-secured. To get DNSSEC-secured hostname resolution, use +The &"require"& variant will result in failure if DANE verification of the +certificate fails or is not possible, like e.g. if the target host is not +DNSSEC-secured. On the other hand &%hosts_try_dane%& will fall back to +non-DANE if any of the necessary pre-conditions up to and including +DNSSEC-secured lookup of the TLSA record are not met. - It will still fail +without fallback to non-DANE if the preconditions are met but the server +certificate cannot be verified against the data in the TLSA record. +To get DNSSEC-secured hostname resolution, use the &%dnssec_request_domains%& router or transport option. DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. -A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using DNSSEC. +A TLSA lookup will be done if either &%hosts_try_dane%& or +&%hosts_require_dane%& options match (DANE "requested") and the host-lookup +succeeded using DNSSEC. If a TLSA lookup is done and succeeds, a DANE-verified TLS connection will be required for the host. If it does not, the host will not be used; there is no fallback to non-DANE or non-TLS. ---------------------- It is not perfect since there is some duplicate information which is spelled out more verbose later but it imho it clarifies things quite a bit. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
