[Standards] Council Minutes 2019-07-10

Travis Burtrum travis at burtrum.org
Sat Jul 20 03:34:16 UTC 2019


On 7/19/19 7:52 AM, Florian Schmaus wrote:
> On 19.07.19 07:36, Travis Burtrum wrote:
>>> If the initiating party cannot connect via either SRV record, it
>> SHOULD perform A/AAAA fallback to port(s) of it's choice (perhaps 443,
>> 5223, etc) because, in the absence of DNSSEC, SRV records cannot be
trusted.
>
> If in the absence of DNSSEC SRV records cannot be trusted, which is of
> course true, why should you trust A/AAAA resource records?

That is a fair question, there are a few reasons I can think of, poorly
configured networks either intentionally or not, tor dns supports A/AAAA
but not SRV, maybe others?

But more importantly you aren't implicitly trusting them, only if the
TLS cert is valid do you connect, so I don't see the harm in attempting
to connect anyway, where as giving up early can cause harm in the form
of a user not being able to connect.


More information about the Standards mailing list