Rich Felker:
> I can see where it could be desirable to log whether delivery was made
> based on a TLSA record in a signed domain vs an unsigned one, and this
> necessitates being able to see the AD bit or equivalent. But it does
> not justify dropping all protections if you can't see it, just
> dropping the ability to log (or rather, warning in the log that all
> records look like potentially-unsigned ones).
It would be a mistake to use TLSA records from an unsigned domain.
That would be no more secure than accepting a random server
certificate. All the pain of doing TLSA and none of the gain, just
security theatre.
Wietse
