defanorIf a user sets server host name and port manually, and the address (A/AAAA) record chosen to connect to it passes DNSSEC validation, is it okay to perform DANE TLSA verification against that manually provided host name?
flowdefanor, you don't perform TLSA verification against the provided host name, you perform it against the provided xmpp service name
flowe.g. user configures his jid to be "firstname.lastname@example.org" and host name to be "enterprise.example.org", then you would perform TLSA verification against "example.org"
defanorBut with SRV records it would be "enterprise.example.org", according to <https://tools.ietf.org/html/draft-ietf-dane-srv-14#section-3.3>, so it seemed to me that with a manually provided host name it would be similar, since it more or less replaces SRV.
flowthis only talks about the TLSA DNS query (/lookup)
flowi.e., it says that you want to lookup the TLSA record on the SRV target
defanorIndeed. I thought I've read in one of the related RFCs that it allows to use certificates for different domains on different servers, but probably misunderstood something; re-reading the RFCs. And GnuTLS's dane_verify_session_crt seems to only assume a single domain name, not one for the certificate and one for TLSA. Still, what are the required conditions to use DANE with a manually provided host?
flowdefanor, dunno, but I could imagine that you do the TLSA lookup on the user provided DNS name
defanorhttps://tools.ietf.org/html/rfc7673#section-6 -- if I'm reading it right, with DANE-EE there's no constraints on certificate's identifier, and with DANE-EE it could be either service/source or target server/derived domain. Or am I misinterpreting it?