X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/de78e2d59e3924238648b8fb363a1412fa9e499d..1a6230a33e235e2b008caabd112f8bc6cb1bcc60:/doc/doc-txt/experimental-spec.txt?ds=sidebyside diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 4836a7d51..993b5b05c 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -884,18 +884,20 @@ with DANE in their OCSP settings. For client-side DANE there are two new smtp transport options, -hosts_try_dane and hosts_require_dane. They do the obvious thing. +hosts_try_dane and hosts_require_dane. [ should they be domain-based rather than host-based? ] +Hosts_require_dane will result in failure if the target host +is not DNSSEC-secured. + DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. A TLSA lookup will be done if either of the above options match and the host-lookup succeded using dnssec. If a TLSA lookup is done and succeeds, a DANE-verified TLS connection -will be required for the host. - -(TODO: specify when fallback happens vs. when the host is not used) +will be required for the host. If it does not, the host will not +be used; there is no fallback to non-DANE or non-TLS. If DANE is requested and useable (see above) the following transport options are ignored: