I finally made time to read it through in one sitting.
And it looks spot on. (Presuming I correctly grokked the intent. :)
AIUI:
When dnssec is bogus:
die!die!die! ;^)
In the case where dnssec is unavailable:
if the server was specified by the user:
that hostname:port is used for sni
(and CN if the client lacks sni)
or, if the server was specified via SRV:
the email addr's right-hand-part is used
for sni (and CN if the client lacks sni)
When dnssec is available and verifies:
whether the server was specified by the user or via SRV:
that hostname:port is use for tlsa, sni
(and CN if the client lacks sni)
if tlsa rr exists:
the server MUST support tls
With, in the non-SRV cases, port defaulting to:
tcp/143 for imap://
tcp/993 for imaps://
tcp/110 for pop://
tcp/995 for pops://
tcp/587 for submission://
Yes?
That seems to meet all of the needs and current realities.
-JimC
--
James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
