On Tue, Feb 14, 2023 at 09:43:33AM -0500, Wietse Venema wrote: > While we're on the topic of DANE, is there any reason why TLSA info > is never looked up for destinations specified as [domain-name]?
That's not what I see. $ postmap -q dnssec-stats.ant.isi.edu cdb:transport smtp:[dnssec-stats.ant.isi.edu] $ sendmail -f $sender -bv ...@dnssec-stats.ant.isi.edu which then logs: Feb 14 09:59:54 amnesiac postfix/smtp[93858]: Verified TLS connection established to dnssec-stats.ant.isi.edu[128.9.29.254]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Feb 14 09:59:55 amnesiac postfix/smtp[93858]: 787821193A5: to=<...@dnssec-stats.ant.isi.edu>, relay=dnssec-stats.ant.isi.edu[128.9.29.254]:25, delay=0.67, delays=0.01/0.03/0.53/0.11, dsn=2.1.5, status=deliverable (250 2.1.5 Ok) Ditto with "posttls-finger": $ posttls-finger -c -Lsummary "[dnssec-stats.ant.isi.edu]" posttls-finger: Verified TLS connection established to dnssec-stats.ant.isi.edu[2001:1878:401::8009:1dfe]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bit raw public key) server-digest SHA256 -- Viktor.