On Fri, Jan 10, 2014 at 12:17:26AM +0000, Viktor Dukhovni wrote:
More proof-reading might be a good idea:
> ; Domain-wide TA CERT TLSA RR, aliased from each service:
> ;
> _25._tcp.mx.example.com. IN CNAME 2.1.1._tlsa.example.com.
> 2.1.1._tlsa.example.com. IN TLSA 2 0 1 {TA CERT SHA2-256 digest}
The "2.1.1" should have been a "2.0.1":
; Domain-wide TA CERT TLSA RR, aliased from each service:
;
_25._tcp.mx.example.com. IN CNAME 2.0.1._tlsa.example.com.
2.0.1._tlsa.example.com. IN TLSA 2 0 1 {TA CERT SHA2-256 digest}
The reason for "2 0 1" is that with "2 0 1" records Postfix honours
various properties in the TA certificate. For example, path length
constraints, ... With "2 1 1", the public key is trusted directly,
and the rest of the TA certificate is ignored.
So I had the right TLSA parameters, but a misleading associated
domain name.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
