On Fri, Jun 06, 2025 at 09:40:31AM +0200, Florian Piekert via Postfix-users wrote:
> I have (tried to) setup floppy.org with dnssec and TLSA records in the > zonefile. > > root@sonne:~# dig _25._tcp.floppy.org any > > _25._tcp.floppy.org. 3600 IN TLSA 3 1 1 > 78D7BF87633081A2D183918EB548597BC10F161E3CC329BF54BBFEBC B7BE7EA1 > _25._tcp.floppy.org. 3600 IN TLSA 3 1 1 > 1633E2C5287BDEA67BB7D2AC525707C3989B7B3223D60B91078B0015 ED355897 > _25._tcp.floppy.org. 3600 IN RRSIG TLSA 13 4 3600 20250618082914 > 20250604085831 44166 floppy.org. [...] That's not useful when the domain's explicit MX hosts are different from the domain name. > DANE validator > https://www.mailhardener.com/tools/dane-validator?domain=floppy.org > says ok With support from the kind folks at ant.isi.edu, I operate a DANE survey, whose observations from the most recent survey run (~16:00–21:00 UTC each day) can be seen at (e.g. for your domain): https://stats.dnssec-tools.org/explore/?floppy.org > The above sha256 fingerprints are from the fullchain.pem (or cert.pem, > doesn't make a difference in the output) cert files. main.cf: > ... > smtpd_tls_chain_files = /etc/letsencrypt/live/sonne.floppy.org/privkey.pem, > /etc/letsencrypt/live/sonne.floppy.org/fullchain.pem, > > /etc/letsencrypt/live/sonne.floppy.org-rsa/privkey.pem, > > /etc/letsencrypt/live/sonne.floppy.org-rsa/fullchain.pem There need to be TLSA records for each MX host, and the separate MX hosts should have separate certificates whose "rotation" is staggered at least a few days apart to avoid a single point of failure should the rollover go wrong. The validity of the deployed certificate chain vs. live TLSA records should be actively monitored (I recommend at least hourly checks). Perhaps with the aid of: https://list.sys4.de/hyperkitty/list/dane-us...@list.sys4.de/thread/NKDBQABSTAAWLTHSZKC7P3HALF7VE5QY/ With "3 1 X" TLSA records, when the underlying public key is about to change, TLSA records need to be updated a few DNS TTLs in advance of their deployment to include new records matching the *upcoming* key in addition to records matching the still *active* key. Once the key rollover is performed, the old TLSA records should be removed, a few sloppy operates never delete old TLSA records, and the DNS RRset keeps growing to absurd lengths. https://stats.dnssec-tools.org/explore/?evocat.net > Since you mentioned -or maybe Wietse- to not trust tests on the > internet, I am wondering if I am still missing something on a DANE > setup for my domain. Can you verify/help? Well tests that claim your security is poor based on absurdly strict criteria are the ones I generally recommend against, and sometimes it is not easy to know which tests are well designed and which not. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
