On Sun, Feb 08, 2026 at 08:27:49PM +0900, Byunghee HWANG (황병희) via
Postfix-users wrote:
> Currently, i study about DANE and Email server stuff. While i'm doing
> test, i found some odd things. As far as i know, 3 1 1 rollover schema
> have two TLSA records.
Two "3 1 1" records are needed during a key rollover, but while the key
is stable, a single record suffices.
> soyeomul@yw-1204:~$ dig +short TLSA _25._tcp.mx.pao1.isc.org.
> 3 1 1 865C0BC73EC3DAC90F73B3D1CF6BA08ECB2848134AAB479B6279FE70 44A0FA89
That's fine.
> $ openssl s_client -brief -starttls smtp \
> -dane_tlsa_domain mx.pao1.isc.org \
> -dane_tlsa_rrdata "3 1 1
> 865C0BC73EC3DAC90F73B3D1CF6BA08ECB2848134AAB479B6279FE7044A0FA89"
> -connect mx.pao1.isc.org:25
> [...]
> Verified peername: mx.pao1.isc.org
> DANE TLSA 3 1 1 ...4aab479b6279fe7044a0fa89 matched EE certificate at depth 0
> [...]
Why isc.org's TLSA record is only *one*? Because one is enough if no
keyrollover is imminent.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
