On Tue, Apr 12, 2016 at 06:52:31PM +0200, Daniel Margolis wrote:
> I'm not sure if I'm being stupid here, but what does it mean for STS to be
> "trumped" by DANE (or the reverse)? Do you mean that if the recipient
> domain/MX has both STS and DANE you will *only* validate the DANE policy?
Correct. Trying to enforce both is too complex, and needlessly
increases the risk of delivery problems.
> If we instead said that senders who validate STS must honor STS and senders
> who validate DANE must honor DANE, is there a conflict?
That language is either tautological, or unreasonable, if intended
to imply that systems capable of both must be willing to apply both
concurrently.
> I would presume that if there is either a DANE failure or an STS failure
> senders who validate both will treat it as a failure. Introducing a concept
> of priority strikes me as unnecessary. What am I missing?
I have no plans to support concurrent evaluation of potentially
conflicting policies. DANE is more robust than STS, given a DANE
policy I see no reason to also consider STS policy.
Of course an administrator will be able to choose which policy
applies to a given nexthop, but not enforcement of both.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
