How does DANE affect fallback behavior when DNSSEC fails?
If DNSSEC validation returns a bogus or fail state the TLSA records cannot be trusted. Depending on configuration the sending server may:
refuse to send mail which is the expected hard fail behavior for secure by default DANE implementations
fall back to opportunistic TLS
fall back to plaintext in rare cases
This is why DNSSEC stability is critical for DANE use.
Was this answer helpful?
Thanks for your feedback!