Viktor Dukhovni skrev den 2015-04-09 02:04:
named.conf:
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
I don't recommend ISC DLV lookaside. This is obsolete.
changed to no, thanks for reminder, i knowed this but just forgot it was
depricated
main.cf:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
These are Postfix SMTP client settings.
yes but it helps when testing server imho, or is there a better way ?
from then on just use posttls-finger without any options
posttls-finger dane.sys4.de
Which are not tested by posttls-finger, it tests the DANE configuration
of remote domains, not the client settings of the local MTA which
it mostly does not use. (It does rely on the same working resolver).
not good ?, eg is testing own domains this way insecure in testing it
self ?, local or remote is no diff there ?
posttls-finger localhost
posttls-finger localhost.example.org
i tryed create a tlsa with
printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' $(uname -n) $(openssl x509 -in
cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl
dgst -sha256 -binary | hexdump -ve '/1 "%02x"')
but it failed for me after openssl upgrade to 1.0.1l
