On Tue, Feb 14, 2023 at 01:01:05PM -0500, Wietse Venema wrote:
> > Fiction aside, the use-cases look reasonable to me. I haven't thought
> > through of what downgrade (from e.g. DANE) are introduced by the various
> > (optional) fallback controls. If they do introduce potential
> > downgrades, a brief note to that effect may be warranted in the docs.
>
> There is no implied downgrade. SRV is really like MX, with weights
> and ports added. As long as the port info is propagated properly,
> TLSA will just work, and connection caching will maintain separation
> of traffic streams that should be distinct.
What I had in mind was (optionally?) ignoring SRV lookup failure, rather
than deferring delivery. If there are TLSA records for the SRV targets,
but none for the fallback delivery method, then we possibly get a
downgrade by ignoring lookup failure...
--
Viktor.
