hi
ive been using TLSA RRs for a while for a number of services
recently ive added an additional cert to postfix to now support both RSA
and ECDSA ciphers for incoming comms
according to dns specs is it legal to have 2 sets of TLSA RRs per
service/port ?
how does that affect CNAMES ?
in the case of postfix, if an MTA chooses an RSA cipher will it look for
the right TLSA RR automatically ?
how ?
is it critically important to have 3 0 1 or 3 1 1 for particular services ?
i believe for smtp and https 3 1 1 is recommended
id like to do this for xmpp too or other services as required
advice very much appreciated
thanks