On 20 July 2025 16:07:50 CEST, Daniel Baumann <dan...@debian.org> wrote:
>Hi Julian
>
>> No that's not how SRV records work or can even work.
>
>I don't think we have the same understanding on "how SRV records work" then. 
>however, ...
>
>> You'd completely violate the basic premise of TLS encryption and
>> authenticity, allowing your local network operator to intercept
>> encrypted communications.
>
>no, as I've written it could mimic the same behaviour as 301 in HTTP(S) which 
>obviously doesn't interfer with encryption at all.

The key difference is that this is signed and encrypted by the end point you 
wanted to talk to.

To use the SRV target as the hostname, the DNS record would need to be 
accordingly signed with DNSSEC and that verified such that the authenticity of 
the SRV can be tied back to the domain owner.

-- 
sent from my phone, excuse the brevity, if any

Reply via email to