On 2024-07-07 Wolfgang <debian-bug-rep...@wkraft.org> wrote: [...] > Problem occurs in sending mails to a DANE protected MX, under certain > conditions. [...]
Hello, I have read through all the messages on exim-user and afaict the whole issue was diagnosed as not using DANE at all for lack of dnssec. 4cbe872a-da6f-491a-b3b5-15ba29317...@wizmail.org From: Jeremy Harris: | 12:41:19 21110 host mx06.et.lindenberg.one [85.215.77.84] MX=16 dnssec=no | ^^^^^^^^^ zovpxavwdvxo4...@chardros.imrryr.org by Viktor Dukhovni: | But does glibc strip the AD bit when processing the response? Do you | have "options trust-ad" in /etc/resolv.conf? As another datapoint lists.gentoo.org also has a '2 1 1' TLSA record and I can successfully deliver there with successfull dane certificate valdation there (CV=dane in the logline). That is with a DNS resolver that does dnssec, the respective changes to glibc resolver configuration, and on exim's side dns_dnssec_ok. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'