Peter Saint-Andre <[email protected]> wrote:
> On 6/1/12 11:03 AM, Shumon Huque wrote:
> > On Fri, Jun 01, 2012 at 05:47:50PM +0100, Tony Finch wrote:
> >>
> >> I presume that the client would not actually use mail.example.net as a
> >> reference identifier unless DNSSEC is in use, otherwise that would not be
> >> secure and is therefore forbidden according to the rules a few paragraphs
> >> earlier in RFC 6125.
> >
> > That sounds correct to me.
>
> Agreed. That's the approach Matt Miller and I are taking for secure
> delegation in XMPP (we'll submit an I-D soonish).
I have a review in the works :-)
While I was investigating this yesterday I had a look at gmail.com's
RFC 6186 email SRV setup since I thought I might use it as an example.
Sadly their servers have the wrong certificates - they can only
authenticate {imap,pop,smtp}.gmail.com not gmail.com. I've written this up
in more detail at http://fanf.livejournal.com/120855.html and notified
[email protected]. I don't entirely blame them for this error since
RFC 6125's abstractions are a bit confusing and the email example doesn't
mention the "derived domain" caveat.
Tony.
--
f.anthony.n.finch <[email protected]> http://dotat.at/
Trafalgar: West veering northwest 5 or 6. Moderate or rough. Occasional rain.
Moderate or good.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
