From cafa603794ebce7df1ac4204690ce47d718bce6e Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Mon, 9 Aug 2021 11:13:36 +0200 Subject: [PATCH] Explain the reasons why `` TLS certificate is needed rather than `` for SRV delegation. Signed-off-by: Niels Basjes --- .../server_server/newsfragments/3322.clarification | 1 + content/server-server-api.md | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 changelogs/server_server/newsfragments/3322.clarification diff --git a/changelogs/server_server/newsfragments/3322.clarification b/changelogs/server_server/newsfragments/3322.clarification new file mode 100644 index 00000000000..fdcd7db9b46 --- /dev/null +++ b/changelogs/server_server/newsfragments/3322.clarification @@ -0,0 +1 @@ +Explain the reasons why `` TLS certificate is needed rather than `` for SRV delegation. \ No newline at end of file diff --git a/content/server-server-api.md b/content/server-server-api.md index 9013d6c0f52..763c0e68fbc 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -134,6 +134,15 @@ to send. The process overall is as follows: 8448 and a `Host` header containing the ``. The target server must present a valid certificate for ``. +{{% boxes/note %}} +The reasons we require `` rather than `` for SRV +delegation are: + 1. DNS is insecure (not all domains have DNSSEC), so the target of the delegation + must prove that it is a valid delegate for `` via TLS. + 2. Consistency with the recommendations in [RFC6125](https://datatracker.ietf.org/doc/html/rfc6125#section-6.2.1) + and other applications using SRV records such [XMPP](https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1). +{{% /boxes/note %}} + The TLS certificate provided by the target server must be signed by a known Certificate Authority. Servers are ultimately responsible for determining the trusted Certificate Authorities, however are strongly