On Tue, Dec 30, 2014 at 07:47:24PM -0500, John wrote:
> I have setup my DNS server for DNSSEC + DANE. I am using inline signing on
> Bind9 and it appears to be working for HTTPS access.
> I have a minor problem with key rolling, it seems to be a rather cumbersome
> process at the moment, but I suspect that it is me rather than the process.
>
> Having got it working for HTTPS, I felt that I could move on to implementing
> it for SMTP (Postfix).
For inbound DANE TLS you're all set. My work-in-progress danecli
shows:
$ danecli -mg klam.ca
klam.ca. IN MX 10 smtp.klam.ca. ; NOERROR AD=1 1/0 1/0/1
smtp.klam.ca. IN A 74.116.186.178 ; passed
_25._tcp.smtp.klam.ca. IN TLSA 3 0 1
5bf12300255d1475ae43677b7062ab8964ca097ee6096cd005115b8c974e83ab ; passed at
depth=0
smtp.klam.ca. IN AAAA 2001:470:b183:10:0:0:0:178 ; connerr: Connection
timed out
Which means that smtp.klam.ca has a working TLSA RRset, but perhaps
has IPv6 connectivity issues.
As for key rotation, see:
https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.1
https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.4
> smtp_use_tls = yes
This is obsolete, superseded by smtp_tls_security_level below:
> smtp_tls_security_level = dane
And likewise:
> smtpd_use_tls = yes
> smtpd_tls_security_level = may
--
Viktor.
