[dns-operations] TLSA records on MX

Zuleger, Holger, Vodafone DE holger.zuleger at vodafone.com
Tue Jun 11 07:59:39 UTC 2013

> > The Certificate provided by spodhuis.org authenticates the 
> target mx.spodhuis.org,
> > but not the query domain (which is spodhuis.org).
> To be clear: for mail delivery, you want:
>   http://tools.ietf.org/html/draft-ietf-dane-smtp-01
> The SMTP case is not quite the same as the SRV case, thus 
> there being a
> distinct draft to cover it.
> The SRV text doesn't quite match MX practice; historically, 
> there's been
> *no* default verification of certificate hostname for MX delivery,
> because nobody could agree even on what should be, or could safely be,
> validated.
> The server for spodhuis.org also handles a number of other domains and
> it would be inappropriate to pick one, or to reissue the cert 
> as domains
> come and go.  This is the fundamental issue which led to solution of
> validating the _target_ domain.
Ok, this was exactly me understanding.

> In the text you cite, the "MUST" is for clients that cannot perform
> DNSSEC validation, to attempt to preserve backwards compatibility for
> some fairly common cases where there's a 1:1 mapping between domain at
> hostname (target domain) servicing the domain.
Ok, but what confuses me is that the MUST is for non dnssec validation
clients and for the others it is just a SHOULD.
So at the end it's a bit unclear for me what to put in the certificate. 
Even because I don't know if the cleint uses dnssec validation or not.

> The SMTP draft references only chapter 3 of the SRV draft.
Ok, I think I have to re-read this.


More information about the dns-operations mailing list