>>>>> "DC" == Dave Cridland <[email protected]> writes:
DC> No, that's not true. That's only true if the TLSA records provide a DC> specific EE cert; that is, Certificate Usage 3. All other cases involve DC> path validation and name checks. Even with types 0, 1 or 2, the point is that the machine name is always used rather than any service name, so it only needs a single cert and therefore sni doesn't do anything. Obviously sni is still needed in the short-term until dnssec is more widely usable, but I was specific that I was writing about dane's long term goal in the mx/srv case. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6
