On Mon, Jun 06, 2016 at 08:36:09PM +0200, Tom Hendrikx wrote:
> > I did some further research. It seems that validns does not like this
> > construct, because it insists that TLSA records are 'properly prefixed'
> > (i.e. with a port and service prefix, see [1]).
>
> Insists, as a policy check, which I have enabled (but is off by default)...
There is no requirement for the owner names of TLSA RRsets to take the
form:
_<port>._<proto>.host.example.
Tools that implement such constraints are misguided. Please open
a bug report with the tool designer.
--
Viktor.
