On 06/06/2016 07:46 AM, Viktor Dukhovni wrote:
On Mon, Jun 06, 2016 at 03:58:51PM +0200, Alexandre Ellert wrote:
I�ve juste enable DANE and https://dane.sys4.de <https://dane.sys4.de/>
is green when I test my domain numeezy.com <http://numeezy.com/>. Also
postfix SMTP client says "Verified TLS connection established to
mail-in-1.numeezy.com[188.165.154.163]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)"
Maybe some DANE expert here can definitely confirm that my setup is sane.
Yes, your DANE TLSA records match for both the primary and secondary
MX hosts. You've also *not* made the mistake of using the same
certificate for both the primary and secondary MX hosts, thereby
risking an outage of both when you replace a single certificate.
And you're using "3 1 1" records which are stable when you renew
your certificate with the same private key.
Isn't generally better to use a new private key?
The logic I was taught is that the longer your key is in use, the more
likely someone has had access to it that shouldn't by one means or another.
How long was DROWN known to black hats before it finally was exposed? I
don't know, but since it had been well over a year since I used SSL 2
for anything and I use fresh private key, it didn't matter, but for
people who do renew same key, who knew of the exploit and how long ago
may matter even if they aren't currently using SSLv2.
