On Tue, 26 May 2015, Mark Andrews wrote:
If the A/AAAA result is secure you do the TLSA lookup.
You can't prove
whether the server was supposed to offer STARTTLS or not.
Yes you can? The presence of TLSA means you MUST do STARTTLS,
and not downgrade to plaintext. Sure, it can be spoofed but
you're not posting anything signed with DNSSEC, you're not
losing any security here?
If the answer is INSECURE you can't prove the TLSA exists. The
MUST only applies if you get a SECURE response to the TLSA record
which will not happen if the A/AAAA response is insecure.
I forgot the whole level of indirection looking up the TLSA at the
mail server names instead of the domain zone itself. I never liked
these but I understand why it's the least worst solution.
Thanks Mark and Viktor for explaining it to me, again.... :)
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
