On 20 July 2025 16:07:50 CEST, Daniel Baumann <dan...@debian.org> wrote: >Hi Julian > >> No that's not how SRV records work or can even work. > >I don't think we have the same understanding on "how SRV records work" then. >however, ... > >> You'd completely violate the basic premise of TLS encryption and >> authenticity, allowing your local network operator to intercept >> encrypted communications. > >no, as I've written it could mimic the same behaviour as 301 in HTTP(S) which >obviously doesn't interfer with encryption at all.
The key difference is that this is signed and encrypted by the end point you wanted to talk to. To use the SRV target as the hostname, the DNS record would need to be accordingly signed with DNSSEC and that verified such that the authenticity of the SRV can be tied back to the domain owner. -- sent from my phone, excuse the brevity, if any