On Thu, Jan 15, 2015 at 12:55:26AM +0000, Viktor Dukhovni wrote:
> Perverse configurations with wrapper mode and a security level of
> "none" are configuration errors.
As is a security level of "may" which is opportunistic and supports
cleartext and fallback to cleartext.
By the time destination policy is resolved, "dane" peers with no
TLSA RRs get a policy of "may", so we don't need to explicitly
check for "dane" with wrapper-mode, though such a policy might hide
latent misconfiguration if someone were to rely on "_465._tcp" DANE
TLSA records that might some day be removed. Warnings could be
added to the policy resolution code.
--
Viktor.
