From cf5b51996317373ad8fe47ea86ba5ede3b6fcf90 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Tue, 10 Aug 2021 13:51:29 +0200 Subject: [PATCH] Explain the reasons why `` TLS certificate is needed rather than `` for SRV delegation. (#3322) Signed-off-by: Niels Basjes --- .../server_server/newsfragments/3322.clarification | 1 + content/server-server-api.md | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 changelogs/server_server/newsfragments/3322.clarification diff --git a/changelogs/server_server/newsfragments/3322.clarification b/changelogs/server_server/newsfragments/3322.clarification new file mode 100644 index 00000000..fdcd7db9 --- /dev/null +++ b/changelogs/server_server/newsfragments/3322.clarification @@ -0,0 +1 @@ +Explain the reasons why `` TLS certificate is needed rather than `` for SRV delegation. \ No newline at end of file diff --git a/content/server-server-api.md b/content/server-server-api.md index 9013d6c0..763c0e68 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -134,6 +134,15 @@ to send. The process overall is as follows: 8448 and a `Host` header containing the ``. The target server must present a valid certificate for ``. +{{% boxes/note %}} +The reasons we require `` rather than `` for SRV +delegation are: + 1. DNS is insecure (not all domains have DNSSEC), so the target of the delegation + must prove that it is a valid delegate for `` via TLS. + 2. Consistency with the recommendations in [RFC6125](https://datatracker.ietf.org/doc/html/rfc6125#section-6.2.1) + and other applications using SRV records such [XMPP](https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1). +{{% /boxes/note %}} + The TLS certificate provided by the target server must be signed by a known Certificate Authority. Servers are ultimately responsible for determining the trusted Certificate Authorities, however are strongly