Paul Wouters <[email protected]> writes:
> On Sun, 23 Mar 2014, Viktor Dukhovni wrote:
>
>> when the TLSA records are entirely unusable, and in keeping with Tony's
>> original work on the SRV draft, the client reverts to legacy
>> mandatory (practically always unauthenticated) TLS.
>
> That's unfortunate. Perhaps it depends on the definition of "unusable",
> but if all TLSA records for instance fail the RRSIG validation, I would
> hope that postfix would abort delivery attempts and definately _not_
> fallback to unauthenticated TLS.
Yes, this is the case Paul (no need to worry).
>From 6698:
// unusable records include unknown certUsage, unknown
// selectorType, unknown matchingType, erroneous RDATA, and
// prohibited by local policy
Within the SMTP draft, DNSSEC and, for that matter, any DNS error
indicates a full stop with that MX host. It'll try other hosts, and if
they're broken too then delay.
The unusable indicates "I can't understand the TLSA record for some
reason", not "the hash didn't match" or "was not validated".
--
Wes Hardaker
Parsons
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
