Viktor Dukhovni:
> The socketmap service could check for DANE TLSA records first,
> and return "dane", it would have to check that the domain is
> DNSSEC signed, and then check whether all of (the first 10 by
> preference to reduce delay) the MX hosts have TLSA records.
A. Schulze:
> That mean the external application will do the same job as postfix does:
> determine DANE TLSA records but not validating them, right?
>
> Isn't implementing the same job in multiple places what Wietse name "waste of
> ressources"?
No, it is basic separation of 1) policy selection (by the policy
service) and 2) policy enforcement (by the Postfix SMTP client).
Wietse
