> On Dec 16, 2016, at 1:39 AM, Alice Wonder <al...@domblogger.net> wrote: > > When an SMTP server publishes a TLSA record, will DANE enforcing SMTP servers > refuse to connect if the TLSA record matches the certificate but the > certificate has expired?
That depends on the TLSA records: https://tools.ietf.org/html/rfc7672#section-3.1.1 https://tools.ietf.org/html/rfc7672#section-3.1.2 The oldest working past-due certificate expiration of a DANE SMTP domain that I've been able to find is: <beispiel>.de. IN MX 5 mx02.<example>.net. ; NOERROR AD=1 _25._tcp.mx02.<example>.net. IN TLSA 3 1 1 fcdd32774bfba667da276048137d0876754a115b8969fc098a61256844f0f9e6 ; passed at depth=0, matched=mx02.<example>.net ; Subject = CN=mx02.<example>.net ; Issuer = emailAddress=supp...@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA ; Inception = 2010-03-22T23:22:05Z ; Expiration = 2010-09-18T23:22:05Z ; Fingerprint = ef133ed4207937fa5bd44bd674b4ae73b589bfeefd82435c2900bf820bbc33e5 <beispiel>.de. IN MX 10 mx-in01.<example>.net. ; NOERROR AD=1 _25._tcp.mx-in01.<example>.net. IN TLSA 3 1 1 2e7062082ebff42db9cf70ab4fa398d5c3ea6f53a6fbfa883e878a8cac8c25f9 ; passed at depth=0 ; Subject = CN=mx01.<example>.net ; Issuer = emailAddress=supp...@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA ; Inception = 2010-03-22T23:22:23Z ; Expiration = 2010-09-18T23:22:23Z ; Fingerprint = 79c97afc1f973d42d4c5971c72c40f6dc4f455315c1f32cfe0d3c671dcce9a82 The primary MX certificate is expired, the secondary MX is both expired and its name does not match the name in the certificate. The latter is best avoided, but is acceptable for DANE SMTP. -- Viktor.