thanks, Viktor Dukhovni wrote: > On Fri, Oct 10, 2014 at 02:36:42AM +1100, [email protected] wrote: > >> is it possible & legal to incorporate 2 TLSA RRs in a zone file the >> following way for the same protocol/port ie. 25: > > Yes, absolutely. Multiple TLSA RRs can and will appear in a TLSA > RRset, either as a result of key rotation in progress, or because > there are multiple keys valid at the same time.
i signed my zonefile ok and have the following: _25._tcp.ns1.example.net. IN CNAME tlsa311._dane.example.net. tlsa311._dane.example.net. IN TLSA 3 1 1 4e02a17b48f8dd3fb451871222278d248c3f51ea5f25ec2e06f65096c80391b0 ; ECC tlsa311._dane.example.net. IN TLSA 3 1 1 9ff5a335ddb86c368a9b3fc49d1a81f738d57f8f8f96c973e87513bbf24532c3 ; RSA im waiting for confirmation from somebody that they see "Verified TLS conn..." > >> Assume postfix has setup 2 certs; an RSA and ECDSA >> >> If it's possible how would a particular TLSA RR be chosen? > > Each TLSA RRs is compared against the server's chain until one > matches. > >> Is it based upon negotiated cipher? > > No, generally the TLSA RR does not signal a particular public key > algorithm. With matching type Full(0) one could infer the algorithm > from public key, but in practice it is easier to just compare the > bits regardless. > _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
