On Fri, Oct 10, 2014 at 02:36:42AM +1100, [email protected] wrote:
> is it possible & legal to incorporate 2 TLSA RRs in a zone file the
> following way for the same protocol/port ie. 25:
Yes, absolutely. Multiple TLSA RRs can and will appear in a TLSA
RRset, either as a result of key rotation in progress, or because
there are multiple keys valid at the same time.
> Assume postfix has setup 2 certs; an RSA and ECDSA
>
> If it's possible how would a particular TLSA RR be chosen?
Each TLSA RRs is compared against the server's chain until one
matches.
> Is it based upon negotiated cipher?
No, generally the TLSA RR does not signal a particular public key
algorithm. With matching type Full(0) one could infer the algorithm
from public key, but in practice it is easier to just compare the
bits regardless.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
