From 30520c8f87fcf660ed99a2344cae7f9787f7bc89 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 5 Jan 2023 18:39:51 +0000 Subject: DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN --- doc/doc-docbook/spec.xfpt | 7 ++++++- doc/doc-txt/ChangeLog | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 946f55b11..9243bd3f9 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -15621,7 +15621,12 @@ by a setting such as this: .code dns_again_means_nonexist = *.in-addr.arpa .endd -This option applies to all DNS lookups that Exim does. It also applies when the +This option applies to all DNS lookups that Exim does, +.new +except for TLSA lookups (where knowing about such failures +is security-relevant). +.wen +It also applies when the &[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors, since these are most likely to be caused by DNS lookup problems. The &(dnslookup)& router has some options of its own for controlling what happens diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f51a23c9c..45834756b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -98,6 +98,10 @@ JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously this always failed, probably leading to the usual downgrade to in-clear connections. +JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect + SERVFAIL results, which breaks the downgrade resistance of DANE. Change + to not checking that list for these looks. + Exim version 4.96 ----------------- -- cgit v1.2.1