Hi, Viktor Dukhovni wrote: > P.S. > > If you have a dataset of hosts that offer STARTTLS on port 25, and > especially if that also includes the CN or first DNS altname in > the certificate (and/or the hostname from the first line of the > EHLO response), that would be most useful for my DANE surveys.
We have collected this information and had already a look at it, though not yet thoroughly. So we've compared CN and sAN entries to the hostname we see in banner messages. Because we work on IP basis rather can host-names, this information is not always something you can work with (load balancers, large email hosting environments with lot's of servers et cetera) - that's also an issue for doing DNS-based lookups on the hosts we're scanning. Starting with PTR records isn't really a great solution, but for some servers it does work. > Drop me a line if you're willing to share. My DANE SMTP server > hunt has so far found around 1700 DNSSEC domains served by just > over 900 DNSSEC TLSA-record validated MX hosts. I'd be interesting to compare our results for sure. I think I can provide you with either the raw dataset or our results (CSV-file with statistics). Thanks again, Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
