Hellow Viktor, Viktor Dukhovni via Postfix-users <[email protected]> writes:
> On Sun, Feb 08, 2026 at 08:27:49PM +0900, Byunghee HWANG (황병희) via > Postfix-users wrote: > >> Currently, i study about DANE and Email server stuff. While i'm doing >> test, i found some odd things. As far as i know, 3 1 1 rollover schema >> have two TLSA records. > > Two "3 1 1" records are needed during a key rollover, but while the key > is stable, a single record suffices. > >> soyeomul@yw-1204:~$ dig +short TLSA _25._tcp.mx.pao1.isc.org. >> 3 1 1 865C0BC73EC3DAC90F73B3D1CF6BA08ECB2848134AAB479B6279FE70 44A0FA89 > > That's fine. OK, thanks! >> $ openssl s_client -brief -starttls smtp \ >> -dane_tlsa_domain mx.pao1.isc.org \ >> -dane_tlsa_rrdata "3 1 1 >> 865C0BC73EC3DAC90F73B3D1CF6BA08ECB2848134AAB479B6279FE7044A0FA89" >> -connect mx.pao1.isc.org:25 >> [...] >> Verified peername: mx.pao1.isc.org >> DANE TLSA 3 1 1 ...4aab479b6279fe7044a0fa89 matched EE certificate at depth 0 >> [...] > > Why isc.org's TLSA record is only *one*? Because one is enough if no > keyrollover is imminent. Additionally, i tested TLSA on pfix.imrryr.org as well. After all, i did understand about whole story with context(s) ["stable", "imminent"]. Sincerely,
signature.asc
Description: PGP signature
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
