Hi !
I checked my cert and it related to R10 , but i will also publish the
rest regarding you advice....
Ciao Gerd
Am 27.06.24 um 14:24 schrieb Viktor Dukhovni via Postfix-users:
On Thu, Jun 27, 2024 at 02:13:25PM +0200, Gerd Hoerst via Postfix-users wrote:
Thanx ! Works
Nope, sorry, you've rather failed to read and understand those docs.
Am 27.06.24 um 13:29 schrieb Viktor Dukhovni via Postfix-users:
BTW: where to get the cert from to generate the 2 1 1 enty for DNS ?
-https://list.sys4.de/hyperkitty/list/dane-us...@list.sys4.de/message/ZTM3XQMI3XP7PWMWJTXBYDPVU4UENE24/
-https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Publishing just "R10" will soon fail, when you get a cert from "R11" or
one of the backup issuers R12, R13 or R14. You MUST publish them all to
avoid sudden breakage surprises.
And if you don't have monitoring of their correctness against the live
certificate chain, you should not publish any TLSA records.
Inbound DANE is not for dilettantes, either you do it right, or you're
only making problems for yourself and others.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
