Hi, I kinda have a deployed implementation of this, for mutual server to server authentication with DANE in XMPP. I've settled on using SRV record indirection that would already be in place for srv-dane. This already has a number of deployments¹ and thus Just Works.
I experimented with something similar to the simple model in the draft before (_xmpp-server.example.com IN TLSA) but Matthew Miller (IIRC, can't find the thread now) raised an issue wrt delegation, that it gets harder to point at TLSA records hosted by a hosting provider. And it's harder to get people to deploy two sets of TLSA records at different places. ¹ https://xmpp.net/reports.php#dnssecdane -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
