On Mon, May 19, 2014 at 9:35 AM, Andreas Tauscher <[email protected]> wrote: > As I read this if I have a domain foo.bar an the SRV record points to > im.example.com c2s and s2s has to verify the certificate against foo.bar > instead im.example.com.
Right. You have (broadly) two possible cases: 1) You trust that DNS/IP layers can't be tampered with. In this case there's no need for verification of the certificates, as you're confident you're connecting to the right host. 2) You don't trust the DNS/IP layers, in which case you don't trust that just because DNS tells you to connect to im.example.com instead of foo.bar it's right, and need to verify that the machine you connect to is authorised to act as foo.bar. /K
