Viktor Dukhovni skrev den 2015-09-07 22:46:
All three are in fact fine. So the handling of TLSA CNAMEs seems to be broken.
+1openssl.net and openssl.net is still same ssl/tls, skip restriction on subdomains then ? (include cname mx check or not)
but if openssl.net and openssl.org make subdomain restriction ?cname to another tls/ssl is worst, where i think cname to same tls/ssl is still ok
no ? i am just no expert yet
