Marius,
Just some ideas for the future. In order to move ahead with DNSsec and DANE - certificate
handling - we
need an entry in the NAPTR, SRV and A records on whether they was verified with DNSsec.
This propably
needs to be added to the resolver cache.
If they are all verified, we have a verified path and can check TLSA records for
certificates or validation or CAs.
If not, we have to resort to traditional TLS.
Parse this as some random notes after reading up on the DANE drafts on SRV records. :-)
http://tools.ietf.org/html/draft-ietf-dane-srv-02
/O