DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN

author: Jeremy Harris <jgh146exb@wizmail.org> 2023-01-05 18:39:51 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2023-01-05 18:39:51 +0000
commit: 30520c8f87fcf660ed99a2344cae7f9787f7bc89 (patch)
tree: d54235f8859fd44eb139a3a4f5ee7e0cd079864d /doc/doc-docbook
parent: e1aca33756f73c22b00a98d40ce2be8ed94464b1 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 946f55b11..9243bd3f9 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15621,7 +15621,12 @@ by a setting such as this:
 .code
 dns_again_means_nonexist = *.in-addr.arpa
 .endd
-This option applies to all DNS lookups that Exim does. It also applies when the
+This option applies to all DNS lookups that Exim does,
+.new
+except for TLSA lookups (where knowing about such failures
+is security-relevant).
+.wen
+It also applies when the
 &[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors,
 since these are most likely to be caused by DNS lookup problems. The
 &(dnslookup)& router has some options of its own for controlling what happens
author	Jeremy Harris <jgh146exb@wizmail.org>	2023-01-05 18:39:51 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2023-01-05 18:39:51 +0000
commit	30520c8f87fcf660ed99a2344cae7f9787f7bc89 (patch)
tree	d54235f8859fd44eb139a3a4f5ee7e0cd079864d /doc/doc-docbook
parent	e1aca33756f73c22b00a98d40ce2be8ed94464b1 (diff)