> On Feb 8, 2026, at 6:21 AM, Byunghee HWANG (황병희) via Postfix-users > <[email protected]> wrote: > > Hellow Viktor, > > Viktor Dukhovni via Postfix-users <[email protected]> writes: > >> On Sun, Feb 08, 2026 at 08:27:49PM +0900, Byunghee HWANG (황병희) via >> Postfix-users wrote: >> >>> Currently, i study about DANE and Email server stuff. While i'm doing >>> test, i found some odd things. As far as i know, 3 1 1 rollover schema >>> have two TLSA records.
I love how isc.org is just some kind of special informal reference installation that people like to poke and prod at and say "I'm trying to learn so why is this one like this?", like it's some heiroglyphics that you found out in the jungle. ISC does a bunch of weird things and I'm sure they have their reasons, and for some people think they're better enlightened asking on third-party mailing lists, than actually asking ISC. >> Two "3 1 1" records are needed during a key rollover, but while the key >> is stable, a single record suffices. >> >>> soyeomul@yw-1204:~$ dig +short TLSA _25._tcp.mx.pao1.isc.org. >>> 3 1 1 865C0BC73EC3DAC90F73B3D1CF6BA08ECB2848134AAB479B6279FE70 44A0FA89 >> >> That's fine. > > OK, thanks! ISC also has two different MXes, that seem to have two different certificate lifetimes, so even if one cert was rolling over, the other would work during that TTL 3600 (one hour) refresh window. And weirdly, they're commercial certificates that are Organization Validated rather than the simpler domain-validated. Why could this be? I guess we'll never know! If only there was someone at ISC you could ask. -Dan _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
