diff options
author | Phil Pennock <pdp@exim.org> | 2013-03-25 19:04:29 -0400 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2013-03-25 19:04:29 -0400 |
commit | 103da95f2352c30476f044e473596e40d1f5c818 (patch) | |
tree | 3d9c0a1cffbaef7e7d63d57fba35833a4371fcf9 | |
parent | 61088b32969bfdd122b0ab329e3360974d35fa0d (diff) | |
download | exim4-103da95f2352c30476f044e473596e40d1f5c818.tar.gz |
Clarify impact of need_dnssec on smtp transport
Feedback from Jeremy
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 2d6e1d757..09b1aace6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -22694,6 +22694,11 @@ If this option is set, then DNSSEC results must be verifiable, and both bogus and unsigned data will be ignored. Setting this without setting &%dns_dnssec_ok%& in the main section is probably a mistake. +This only applies to hostname to IP mappings performed by the transport +itself, such as for the &%hosts%& option. When the lookups are performed +by a router such as &(dnslookup)&, it is the router's &%need_dnssec%& setting +which applies. + See chapter &<<CHAPdnssec>>& for more discussion. @@ -26137,6 +26142,11 @@ When resolving DNS in a &(dnslookup)& or &(manualroute)& router or in an will skip &'Insecure'& results too and it will appear that only &'Secure'& results exist in DNS. +If a router performs the hostname to IP mapping, then the &(smtp)& transport +uses the results of that and its own &%need_dnssec%& setting does not apply. +The &(smtp)& transport's setting applies to results from looking up options +such as &%hosts%& or &%fallback_hosts%& on the transport itself. + .section "Resolver Setup" "SECTdnssecressetup" When validation is working, &'www.cam.ac.uk'& will have the AD flag set on the |