On Sun, Jun 30, 2019, at 09:54, Dave Cridland wrote: > 1) It's not A/AAAA fallback "as per RFC 6120", because we're talking > about a Direct TLS fallback. It should be per section... erm... > 2) This document doesn't mention a A/AAAA fallback at all, and perhaps > that's right - do we ever want one with '368? > > Please comment on-list.
I've been meaning to change my library to do its fallback a little differently, including trying direct TLS fallback A/AAAA fallback. DNS often doesn't use any sort of security measures, so to prevent DNS based downgrade attacks it seems best to me to always try direct TLS on the A/AAAA record, just as we always try StartTLS even if it's not advertised. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________