Hey.
Am 19.01.2015 13:39, schrieb Wolfgang Breyha:
On 19/01/15 13:21, Felix Eckhofer wrote:
Note that it says client treatment is undefined. It also says "should", not "SHOULD".
And that makes which difference? ;-)
If treatment is undefined, postfix is compliant with the dane-smtp draft no matter what it does. As for "SHOULD", see RFC 2119.
I think the TLSA RR should not (or SHOULD NOT?) be used for DANE, but on the other hand the TLS connection should not fail since there is no "usable" TLSA record at all in respect to DANE-SMTP. Right?
That is how I understand it, yes. A PKIX-EE RR "SHOULD NOT" be published (as per 3.1.3). The behavior of the smtp client is undefined, as you quoted yourself, but if they choose to treat them as unusable a connection "MUST be made via TLS" (2.2).
felix