With &"strict"& a response from the DNS resolver that
is not labelled as authenticated data
is treated as equivalent to a temporary DNS error.
-The default is &"never"&.
+The default is &"lax"&.
See also the &$lookup_dnssec_authenticated$& variable.
unless you really, really know what you are doing. See also the generic
transport option of the same name.
-.option dnssec_request_domains routers "domain list&!!" unset
+.option dnssec_request_domains routers "domain list&!!" *
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
details.
-.option dnssec_request_domains smtp "domain list&!!" unset
+.option dnssec_request_domains smtp "domain list&!!" *
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
If DANE is not usable, whether requested or not, and CA-anchored
verification evaluation is wanted, the above variables should be set appropriately.
-Currently the (router or transport options) &%dnssec_request_domains%& must be active and &%dnssec_require_domains%& is ignored.
+The router and transport option &%dnssec_request_domains%& must not be
+set to "never" and &%dnssec_require_domains%& is ignored.
If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane".
function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
3.6.0, DH parameters are negotiated following RFC7919."
+HS/06 Change the default of dnssec_request_domains to "*"
Exim version 4.92
-----------------
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# if ipv6-enabled then instead use:
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-.ifdef _HAVE_DNSSEC
- dnssec_request_domains = *
-.endif
no_more
# This closes the ROUTER_SMARTHOST ifdef around the choice of routing for
.pass_router = NULL,
.redirect_router = NULL,
- .dnssec = { NULL, NULL }, /* dnssec_domains {require,request} */
+ .dnssec = { .request= US"*", .require=NULL },
};
uschar *router_name = NULL;
causes the whole lookup to defer only if none of the DNS queries succeeds; and
'never', where all defers are as if the lookup failed. The default is 'lax'.
-- 'dnssec_FOO', with 'strict', 'lax' and 'never' (default). The meanings are
+- 'dnssec_FOO', with 'strict', 'lax' (default), and 'never'. The meanings are
require, try and don't-try dnssec respectively.
- 'retrans_VAL', set the timeout value. VAL is an Exim time specification
int rc;
int sep = 0;
int defer_mode = PASS;
-int dnssec_mode = OK;
+int dnssec_mode = PASS;
int save_retrans = dns_retrans;
int save_retry = dns_retry;
int type;
.gethostbyname = FALSE,
.dns_qualify_single = TRUE,
.dns_search_parents = FALSE,
- .dnssec = { .request=NULL, .require=NULL },
+ .dnssec = { .request= US"*", .require=NULL },
.delay_after_cutoff = TRUE,
.hosts_override = FALSE,
.hosts_randomize = FALSE,