-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 25-04-14 17:00, Viktor Dukhovni wrote:
> On Fri, Apr 25, 2014 at 02:35:55PM +0000, Eray Aslan wrote:
>
>>> $ tlsagen cert.pem $(uname -n) DANE-EE PKEY SHA2-256
>>> _25._tcp.mail.example.com IN TLSA 3 1 1 {hex string}
>>
>> For the record, looks like a typo in the script:
>
> Oh, and by the way, I see your domain has working TLSA RRs. I now
> know of 18 domains with working TLSA records for their MX hosts
> (but two of them are mine). That list is a bit short. :-( I'm
> helping the ietf.org administrator to implement STARTTLS and TLSA
> records, so that'll be 19 soon.
>
> If anyone else on this list has a DNSSEC signed domain and adds MX
> host TLSA records, please feel free to drop me a note. I'll
> connect to your domain from my home network a few times a year to
> test DANE interoperability, you will not be exposed to any
> noticeable load, nor any unwanted email messages, the connection
> will just complete a TLS handshake, send "QUIT" and disconnect.
> (A test with posttls-finger).
>
Count me in. Your post was a trigger for me: wanted to try this for
some time, but never got to it. It was actually dead easy ;)
I read http://blog.huque.com/2012/10/dnssec-and-certificates.html and
ended up using hash-slinger which is available in latest ubuntu
release, just like posttls-finger.
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTWquLAAoJEJPfMZ19VO/1cD0QAIHWUKJd3p0whYnMllAGugxv
NiuiNB+tg3WrvP25mkfufeZFYCTBT7Uo4PMAnlGB7MCOVDBzM4Qj/bm5YCMpf0wN
ueCdZmVsiJb8Io8WiJuGzxTPPF9IgJ6Z5caH9lMEHrpKh46q3EaBtfbNA6SGhUaE
L0Jcjv+UqSdYmkcFWbiPDLIysWuozliutw/gRJvHoHkPCFb+TTvFN6ACym+CZl6r
R8GbPbBjc+Y82xgFSTYzCLa2LbC+0F9/IFRnDwZjbpV0xju+91emYOe0lmXDG9iU
b+OMo4REp9qD7UaIHdxjZHMKYbhBkgIAchHb/RwJBFvSjAmhLpWtPpfS0eZliyBa
Y+a0Gr7dcJw8H8M6I8ge5HWzzDDKP4rJ43mMFX3AxR17oPB5zVc+Ox84bxVDUCBP
cwvSkYPCVlZMWZHnbA51WmqX0igKrH5l8wNUEIMyyb0oakHFMM2ugVMkJS3EHKHL
zKnIw/AHSXRSgCF/1huyl0OA7GpYL0kmAAf+BnhJjVs02D4xt7JDg8sr/mQ6pO0y
3lregDHgELhllhzXpnpDtFZ6zwobqeMbgQtEGe8aYN/4Yw1bvimpxwBqfyZXMGmi
GJngcB0taarwUHNRq9IHoccEGJyx/pAzpTMnmMNELdws8hW1ciestUnpsWPjyT/n
Tn5vftD7ghdnxhRLz/o/
=rPRj
-----END PGP SIGNATURE-----
