My implementation of DANE TLSA support for Postfix is code complete
and passes basic tests. I'd like to test more of the feature-set,
but at <http://www.internetsociety.org/deploy360/resources/dane-test-sites/>
I found listed exactly four MX hosts with DANE TLSA records for SMTP:
$ for domain in jhcloos.com nlnetlabs.nl nlnet.nl
do
dig +short -t mx $domain | sort -n | awk '{print $NF}' |
while read h
do
dig +noall +ans -t tlsa _25._tcp.$h
done
done | perl -lne 'print unless ++$dup{$_} > 1;'
_25._tcp.liberty.jhcloos.com. 3361 IN TLSA 3 1 1 9D72F4AE...
_25._tcp.pao.uu.jhcloos.net. 3362 IN TLSA 3 1 1 FE79C6D0...
_25._tcp.open.nlnetlabs.nl. 9962 IN CNAME 3.1.1._dane.nlnetlabs.nl.
3.1.1._dane.nlnetlabs.nl. 9962 IN TLSA 3 1 1 0D1FCBD7...
_25._tcp.open.nlnet.nl. 86163 IN TLSA 3 1 1 6813D634...
All sensibly using 3 1 1, so we have a 100% consensus best-practice. :-)
I'd like to test with more domains, if possible. Does anyone know of
any more? Particularly any that publish:
- Certificate usage 0 or 2
- Selector 0
- Matching Type 0 or 2
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
