On Thu, Mar 14, 2013 at 03:47:06PM -0400, Andrew Sullivan wrote:
> > This is a case of "no TLSA records". That's a CNAME record, not a
> > TLSA record. If the domain admin wanted to put a TLSA record there,
> > they know how to do that.
>
> Not if there's a CNAME there, they don't. You can't put a TLSA record
> there if there's a CNAME.
John clearly meant in place of, not in addition.
> > There is nothing magic about the _25._tcp subdomain names. Using
> > them for a CNAME (or an A record or anything else) does not indicate
> > a desire to use TLSA records.
>
> But if there's a CNAME with a TLSA record at the target, presumably
> you ought to use that TLSA record. No?
Yes, if both are validated, but not otherwise, in particular a
validated CNAME to a not validated TLSA RRset is not validated and
the combination bevahes indistinguishably from "NODATA", undoubtedly
some folks will keep getting surprised by this.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
