Viktor Dukhovni: > On Tue, Feb 14, 2023 at 01:01:05PM -0500, Wietse Venema wrote: > > > > Fiction aside, the use-cases look reasonable to me. I haven't thought > > > through of what downgrade (from e.g. DANE) are introduced by the various > > > (optional) fallback controls. If they do introduce potential > > > downgrades, a brief note to that effect may be warranted in the docs. > > > > There is no implied downgrade. SRV is really like MX, with weights > > and ports added. As long as the port info is propagated properly, > > TLSA will just work, and connection caching will maintain separation > > of traffic streams that should be distinct. > > What I had in mind was (optionally?) ignoring SRV lookup failure, rather > than deferring delivery. If there are TLSA records for the SRV targets, > but none for the fallback delivery method, then we possibly get a > downgrade by ignoring lookup failure...
But that problem already exists when a domain has some MX targets with TLSA records and some MX targets without TLSA? Wietse