Viktor Dukhovni:
> On Tue, Feb 14, 2023 at 01:01:05PM -0500, Wietse Venema wrote:
>
> > > Fiction aside, the use-cases look reasonable to me. I haven't thought
> > > through of what downgrade (from e.g. DANE) are introduced by the various
> > > (optional) fallback controls. If they do introduce potential
> > > downgrades, a brief note to that effect may be warranted in the docs.
> >
> > There is no implied downgrade. SRV is really like MX, with weights
> > and ports added. As long as the port info is propagated properly,
> > TLSA will just work, and connection caching will maintain separation
> > of traffic streams that should be distinct.
>
> What I had in mind was (optionally?) ignoring SRV lookup failure, rather
> than deferring delivery. If there are TLSA records for the SRV targets,
> but none for the fallback delivery method, then we possibly get a
> downgrade by ignoring lookup failure...
But that problem already exists when a domain has some MX targets with
TLSA records and some MX targets without TLSA?
Wietse
