When TLSA records are used, the SRV destination should be the only name checked for in the certs.
It would be best for xmpp to target that model for all TLS usage. It is much easier than the pre-tlsa options are. -JimC -- James Cloos <cl...@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6