felix at tribut.de
Mon Jan 19 13:54:52 CET 2015
Am 19.01.2015 13:39, schrieb Wolfgang Breyha:
> On 19/01/15 13:21, Felix Eckhofer wrote:
>> Note that it says client treatment is undefined. It also says
>> "should", not
> And that makes which difference? ;-)
If treatment is undefined, postfix is compliant with the dane-smtp draft
no matter what it does. As for "SHOULD", see RFC 2119.
> I think the TLSA RR should not (or SHOULD NOT?) be used for DANE, but
> the other hand the TLS connection should not fail since there is no
> "usable" TLSA record at all in respect to DANE-SMTP. Right?
That is how I understand it, yes.
A PKIX-EE RR "SHOULD NOT" be published (as per 3.1.3). The behavior of
the smtp client is undefined, as you quoted yourself, but if they choose
to treat them as unusable a connection "MUST be made via TLS" (2.2).
More information about the dane-users