Felix Eckhofer felix at
Mon Jan 19 13:54:52 CET 2015


Am 19.01.2015 13:39, schrieb Wolfgang Breyha:
> On 19/01/15 13:21, Felix Eckhofer wrote:
>> Note that it says client treatment is undefined. It also says 
>> "should", not
>> "SHOULD".
> And that makes which difference? ;-)

If treatment is undefined, postfix is compliant with the dane-smtp draft 
no matter what it does. As for "SHOULD", see RFC 2119.

> I think the TLSA RR should not (or SHOULD NOT?) be used for DANE, but 
> on
> the other hand the TLS connection should not fail since there is no
> "usable" TLSA record at all in respect to DANE-SMTP. Right?

That is how I understand it, yes.
A PKIX-EE RR "SHOULD NOT" be published (as per 3.1.3). The behavior of 
the smtp client is undefined, as you quoted yourself, but if they choose 
to treat them as unusable a connection "MUST be made via TLS" (2.2).


More information about the dane-users mailing list