* on the Tue, Mar 04, 2014 at 10:42:27PM +0000, Viktor Dukhovni wrote: > but all the levels other than "dane" don't scale beyond a handful > of peer sites. The "dane" level can scale, but at this time there > are essentially no domains that have DNSSEC sized zones with TLSA > records for SMTP (a total ~20 domains). > > Please help grow DANE adoption by implementing DNSSEC on your domain > and publishing TLSA records (only once you understand how to keep > these working properly with key rotation, we want DANE to work > reliably for all receiving domains that commit to authenticated > TLS by publishing TLSA records). So most users should wait 6-12 > months, by which time the standards will be better defined, and > more deployment documentation will be available, maybe even an > implementation in Exim. Early adopters strongly familiar with > DNSSEC, TLS, and so on can deploy now.
I've had DANE on https://grepular.com/ for a while now. I recently added it to my MX for grepular.com too. However, I am not aware of anyone else using it with SMTP, so it would be good to get some sort of confirmation that I am doing it correctly, or incorrectly. Just to confuse matters a little, the AAAA record for my primary MX points to a completely different machine than the A record, both present different certificates (from Startssl.com), both with different CN's, neither of which match the MX name. I have two separate DANE records to deal with that. I assume that the fact that only one of the two DANE records matches the cert presented is fine as it's the same as what happens during key rollovers in DNSSEC and would be necessary in some common configurations anyway. Anyway, this isn't particularly Exim related, but if people want to test my odd DANE setup, when implementing DANE in Exim or elsewhere, feel free to poke me about it. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
