On Tue, Feb 14, 2023 at 09:43:33AM -0500, Wietse Venema wrote:
> While we're on the topic of DANE, is there any reason why TLSA info
> is never looked up for destinations specified as [domain-name]?
That's not what I see.
$ postmap -q dnssec-stats.ant.isi.edu cdb:transport
smtp:[dnssec-stats.ant.isi.edu]
$ sendmail -f $sender -bv ...@dnssec-stats.ant.isi.edu
which then logs:
Feb 14 09:59:54 amnesiac postfix/smtp[93858]:
Verified TLS connection established
to dnssec-stats.ant.isi.edu[128.9.29.254]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
Feb 14 09:59:55 amnesiac postfix/smtp[93858]: 787821193A5:
to=<...@dnssec-stats.ant.isi.edu>,
relay=dnssec-stats.ant.isi.edu[128.9.29.254]:25, delay=0.67,
delays=0.01/0.03/0.53/0.11, dsn=2.1.5,
status=deliverable (250 2.1.5 Ok)
Ditto with "posttls-finger":
$ posttls-finger -c -Lsummary "[dnssec-stats.ant.isi.edu]"
posttls-finger: Verified TLS connection established to
dnssec-stats.ant.isi.edu[2001:1878:401::8009:1dfe]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519
server-signature RSA-PSS (2048 bit raw public key)
server-digest SHA256
--
Viktor.
