Viktor Dukhovni <[email protected]> wrote: > > Should DANE or draft-ietf-dane-{srv,smtp} say anything about the > semantics of the "*" in "*.example.com" CNs or DNS subjectAltNames?
No. That is RFC 6125's job. But I see that dependent specs have to explicitly say it is OK. Sigh. > I am concerned that receiving sites like Postini may be tempted to > publish TLSA RRs for their current wildcard certificate, causing a major > outage for senders, since Postini handles the MX hosts for many client > domains with MX hostnames of the form "example.com.<id>.psmtp.com" which > does not match "*.psmtp.com" in the current Postfix implementation. Postfix is right: a wildcard in a certificate only matches within a label. (One of the "fun" differences between X.509 and DNS wildcards.) Postini will have to fix that. Most of the SMTP certificates out there will have to be replaced before they can be validated, so Postini are in good company. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
