DANE: Remove fallback from hosts_try_dane. If TLSA record not retrieved,

do not use this host.
author: Jeremy Harris <jgh146exb@wizmail.org> 2016-04-24 16:53:25 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2016-04-24 16:53:25 +0100
commit: 4b0fe31936b336d12836875101dcac6599d127ee (patch)
tree: 2495b59338f71113b5fbf3b4d2659fc3e709710c /doc/doc-txt/ChangeLog
parent: c035b645ba3549472b9a835b845c2027b16a4cf2 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 496e9d07e..cecd2a038 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -10,6 +10,16 @@ JH/02 The obsolete acl condition "demime" is removed (finally, after ten
       years of being deprecated). The replacements are the ACLs
       acl_smtp_mime and acl_not_smtp_mime.
 
+JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
+      a downgraded non-dane trust-anchor for the TLS connection (CA-style)
+      or even an in-clear connection were permitted.  Now, if the host lookup
+      was dnssec and dane was requested then the host is only used if the
+      TLSA lookup succeeds and is dnssec.  Further hosts (eg. lower priority
+      MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
+      if one fails this test.
+      This means that a poorly-configured remote DNS will make it incommunicado;
+      but it protects against a DNS-interception attack on it.
+
 
 Exim version 4.87
 -----------------
author	Jeremy Harris <jgh146exb@wizmail.org>	2016-04-24 16:53:25 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2016-04-24 16:53:25 +0100
commit	4b0fe31936b336d12836875101dcac6599d127ee (patch)
tree	2495b59338f71113b5fbf3b4d2659fc3e709710c /doc/doc-txt/ChangeLog
parent	c035b645ba3549472b9a835b845c2027b16a4cf2 (diff)