Hellow, Currently, i study about DANE and Email server stuff. While i'm doing test, i found some odd things. As far as i know, 3 1 1 rollover schema have two TLSA records. By the way...
<quote: test isc.org> soyeomul@yw-1204:~$ dig isc.org. | grep ad ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 soyeomul@yw-1204:~$ dig +short MX isc.org. 10 mx.ams1.isc.org. 5 mx.pao1.isc.org. soyeomul@yw-1204:~$ dig +short TLSA _25._tcp.mx.pao1.isc.org. 3 1 1 865C0BC73EC3DAC90F73B3D1CF6BA08ECB2848134AAB479B6279FE70 44A0FA89 soyeomul@yw-1204:~$ openssl s_client -brief -starttls smtp -dane_tlsa_domain mx.pao1.isc.org -dane_tlsa_rrdata "3 1 1 865C0BC73EC3DAC90F73B3D1CF6BA08ECB2848134AAB479B6279FE7044A0FA89" -connect mx.pao1.isc.org:25 <<< "Q" CONNECTION ESTABLISHED Protocol version: TLSv1.3 Ciphersuite: TLS_AES_256_GCM_SHA384 Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1 Peer certificate: C = US, ST = New Hampshire, O = "Internet Systems Consortium, Inc.", CN = mx.pao1.isc.org Hash used: SHA256 Signature type: RSA-PSS Verification: OK Verified peername: mx.pao1.isc.org DANE TLSA 3 1 1 ...4aab479b6279fe7044a0fa89 matched EE certificate at depth 0 Server Temp Key: X25519, 253 bits 250 CHUNKING DONE soyeomul@yw-1204:~$ </quote> Why isc.org's TLSA record is only *one*?
signature.asc
Description: PGP signature
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
