On 28 October 2015 at 21:32, Daniel Pocock <dan...@pocock.pro> wrote:
> > > We are just reviewing the final configuration before announcing > debian.org XMPP > > That's great news. > Can anybody comment on DANE / TLSA? Should we only talk to servers > supporting this? > > Last time I looked, only around 10% of servers supported DNSSEC, let alone DANE. I think, given that the RFC has only *just* been published, that mandating DANE is premature. Requiring servers to use TLS is entirely practical, requiring them to have certificates signed by a CA you trust is also reasonable. Dave.