On Wed, May 22, 2013 at 11:57:15AM +0100, Stephen Farrell wrote:
> I wouldn't be surprised if the SMTP/TLS with DANE thing was the
> first one to offer benefits, but its maybe still a little
> early for that just yet.
It is early to expect "benefits", since very few clients are deployed
as yet, but not at all early to deploy, the TLSA record does no harm.
There is no downside, no existing SMTP clients refuse to deliver to
sites with unauthenticated certificates.
A Postfix production snapshot (Wietse code review complete) will
likely be available in June, at which point more people will be in
a position to deploy DANE TLSA capable SMTP clients. They'll also
need a DNSSEC enabled local (127.0.0.1) caching DNS resolver.
So this is a good time to deploy server TLSA records:
; SHA256 digest of public key or full certificate.
mail.example.com. IN TLSA 3 1 1 ...
mail.example.com. IN TLSA 3 0 1 ...
; Or SHA256 of issuing trust-anchor CA public key. With the trust-anchor
; issuer certificate included in the server chain file!
;
mail.example.com. IN TLSA 2 1 1 ...
mail.example.com. IN TLSA 2 0 1 ...
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
