Wietse Venema:
> Viktor Dukhovni:
> > On Mon, Feb 13, 2023 at 07:33:35PM -0500, Wietse Venema wrote:
> >
> > > There's a first implementation in postfix-3.8-20230213-nonprod.
> > > Docs: https://www.postfix.org/postconf.5.html#use_srv_lookup
> > > Code: http://ftp.porcupine.org/mirrors/postfix-release/index.html#non-prod
> > >
> > > To see all SRV related changes, diff the code against
> > > postfix-3.8-20230213.
> > > Code:
> > > http://ftp.porcupine.org/mirrors/postfix-release/index.html#experimental
> >
> > How does this interact with DANE? If the SRV RRset is DNSSEC-signed, do
> > we get TLSA lookups for _<port>._tcp.<target> (possibly after secure
> > end-to-end CNAME expansion), just as with MX lookups?
>
> The SRV lookup code is almost identical to the MX lookup code; it
> returns the same mxrr value with rname and qname values.
>
> SMTP_ITERATOR.port is updated with SRV port information, so that
>
> dane = tls_dane_resolve(iter->port, "tcp", iter->rr,
> var_smtp_tls_force_tlsa)
>
> will use the correct remote port.
While we're on the topic of DANE, is there any reason why TLSA info
is never looked up for destinations specified as [domain-name]?
Wietse
