DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN

author: Jeremy Harris <jgh146exb@wizmail.org> 2023-01-05 18:39:51 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2023-01-05 18:39:51 +0000
commit: 30520c8f87fcf660ed99a2344cae7f9787f7bc89 (patch)
tree: d54235f8859fd44eb139a3a4f5ee7e0cd079864d /doc/doc-txt
parent: e1aca33756f73c22b00a98d40ce2be8ed94464b1 (diff)
download: exim4-30520c8f87fcf660ed99a2344cae7f9787f7bc89.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f51a23c9c..45834756b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -98,6 +98,10 @@ JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group.  Previously
       this always failed, probably leading to the usual downgrade to in-clear
       connections.
 
+JH/20 Fix TLSA lookups.  Previously dns_again_means_nonexist would affect
+      SERVFAIL results, which breaks the downgrade resistance of DANE.  Change
+      to not checking that list for these looks.
+
 
 Exim version 4.96
 -----------------
author	Jeremy Harris <jgh146exb@wizmail.org>	2023-01-05 18:39:51 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2023-01-05 18:39:51 +0000
commit	30520c8f87fcf660ed99a2344cae7f9787f7bc89 (patch)
tree	d54235f8859fd44eb139a3a4f5ee7e0cd079864d /doc/doc-txt
parent	e1aca33756f73c22b00a98d40ce2be8ed94464b1 (diff)
download	exim4-30520c8f87fcf660ed99a2344cae7f9787f7bc89.tar.gz