[dns-operations] TLSA records on MX
Zuleger, Holger, Vodafone DE
holger.zuleger at vodafone.com
Tue Jun 11 07:59:39 UTC 2013
> > The Certificate provided by spodhuis.org authenticates the
> target mx.spodhuis.org,
> > but not the query domain (which is spodhuis.org).
> To be clear: for mail delivery, you want:
> The SMTP case is not quite the same as the SRV case, thus
> there being a
> distinct draft to cover it.
> The SRV text doesn't quite match MX practice; historically,
> there's been
> *no* default verification of certificate hostname for MX delivery,
> because nobody could agree even on what should be, or could safely be,
> The server for spodhuis.org also handles a number of other domains and
> it would be inappropriate to pick one, or to reissue the cert
> as domains
> come and go. This is the fundamental issue which led to solution of
> validating the _target_ domain.
Ok, this was exactly me understanding.
> In the text you cite, the "MUST" is for clients that cannot perform
> DNSSEC validation, to attempt to preserve backwards compatibility for
> some fairly common cases where there's a 1:1 mapping between domain at
> hostname (target domain) servicing the domain.
Ok, but what confuses me is that the MUST is for non dnssec validation
clients and for the others it is just a SHOULD.
So at the end it's a bit unclear for me what to put in the certificate.
Even because I don't know if the cleint uses dnssec validation or not.
> The SMTP draft references only chapter 3 of the SRV draft.
Ok, I think I have to re-read this.
More information about the dns-operations