On 7/19/15 11:49 AM, Viktor Dukhovni wrote:
> My reading of the draft is that it is primary aimed at making DANE
> practical for HTTPS,  where last-mile considerations on the client
> end are a significant part of the adoption barrier.
> 
> For HTTP, MX and SRV records are out of scope.  Clients that depend
> on DNS to the extent of determining the server identity based on
> MX or SRV records, already need DNSSEC to avoid MiTM issues, and
> at least in the case of SMTP and XMPP are expected to handle DANE
> without stapled TLSA RRsets (and associated RRSIG/DNSKEY/DS chains).

Yup, exactly.  Thanks.

Melinda


-- 
Melinda Shore
No Mountain Software
[email protected]

"Software longa, hardware brevis."

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to