hi ive been using TLSA RRs for a while for a number of services recently ive added an additional cert to postfix to now support both RSA and ECDSA ciphers for incoming comms according to dns specs is it legal to have 2 sets of TLSA RRs per service/port ? how does that affect CNAMES ? in the case of postfix, if an MTA chooses an RSA cipher will it look for the right TLSA RR automatically ? how ? is it critically important to have 3 0 1 or 3 1 1 for particular services ? i believe for smtp and https 3 1 1 is recommended id like to do this for xmpp too or other services as required advice very much appreciated thanks