On Thu, May 23, 2013 at 12:21:02AM -0400, Paul Wouters wrote:
> On Wed, 22 May 2013, Viktor Dukhovni wrote:
>
> >So this is a good time to deploy server TLSA records:
> >
> > ; SHA256 digest of public key or full certificate.
> > mail.example.com. IN TLSA 3 1 1 ...
> > mail.example.com. IN TLSA 3 0 1 ...
> >
> > ; Or SHA256 of issuing trust-anchor CA public key. With the trust-anchor
> > ; issuer certificate included in the server chain file!
> > ;
> > mail.example.com. IN TLSA 2 1 1 ...
> > mail.example.com. IN TLSA 2 0 1 ...
>
> Would these be better located at _25._tcp.mail.example.com ? :)
Responding as a matter of courtesy rather than necessity. Yes, of
course! Anyway, if anyone knows the sysadmins who operate mail.ietf.org,
please nudge them to enable STARTTLS and publish TLSA RRs.
The DNSSEC signature is already in place:
$ drill -D -t mx ietf.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64505
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 8
;; QUESTION SECTION:
;; ietf.org. IN MX
;; ANSWER SECTION:
ietf.org. 1800 IN MX 0 mail.ietf.org.
ietf.org. 1800 IN RRSIG MX ...copious line noise...
https://xkcd.com/1181/
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
