Hi,
I have been playing around with the dane check tool from sys4 too, and
it seems it doesn't support the nice CNAME trick shown in
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
The tool does not seem to follow the CNAME pointer, and concludes with
the error "No TLSA records." Seems to me a nice imporment if it would
support the CNAME trick ;)
Regards,
Tom
On 06-06-16 16:46, Viktor Dukhovni wrote:
> On Mon, Jun 06, 2016 at 03:58:51PM +0200, Alexandre Ellert wrote:
>
>> I�ve juste enable DANE and https://dane.sys4.de <https://dane.sys4.de/>
>> is green when I test my domain numeezy.com <http://numeezy.com/>. Also
>> postfix SMTP client says "Verified TLS connection established to
>> mail-in-1.numeezy.com[188.165.154.163]:25: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)"
>>
>> Maybe some DANE expert here can definitely confirm that my setup is sane.
>
> Yes, your DANE TLSA records match for both the primary and secondary
> MX hosts. You've also *not* made the mistake of using the same
> certificate for both the primary and secondary MX hosts, thereby
> risking an outage of both when you replace a single certificate.
> And you're using "3 1 1" records which are stable when you renew
> your certificate with the same private key. So overall, quite
> good, however you can do even better, see:
>
> https://www.ietf.org/mail-archive/web/uta/current/msg01498.html
>
> based on which I would strongly recommend:
>
> _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1
> cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48
> _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 1
> d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166
>
> _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1
> 8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e
> _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 1
> d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166
>
> The above is based on the below observed DNS records, certificate
> chain and associated matching TLSA records:
>
> numeezy.com. IN MX 1 mail-in-1.numeezy.com.
> numeezy.fr. IN MX 1 mail-in-1.numeezy.com.
> medialta.com. IN MX 1 mail-in-1.numeezy.com.
> medialta.fr. IN MX 1 mail-in-1.numeezy.com.
> medialta.eu. IN MX 1 mail-in-1.numeezy.com.
> mail-in-1.numeezy.com. IN A 188.165.154.163 ; passed
> _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1
> cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48 ; passed at
> depth=0
> ;
> ; Depth: actual=0, wire=0
> ; Subject = CN=mail-in-1.numeezy.com,O=Numeezy
> SARL,L=PARIS,ST=Ile-de-France,C=FR
> ; Issuer = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification
> Authority,O=StartCom Ltd.,C=IL
> ; Valid from 2016-05-17T12:16:30Z until 2019-05-17T12:16:30Z
> ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1
> cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48
> ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 0 1
> 50f417dbdab3677847eb0107d363044f4166eed1bb333daf6320d6b8daefb70e
> ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 2
> 5061dc02e6df14ad409acb5c2bb4992f80e1a5a1cc53faa5d81bd42d644010260e9a94747599c49df6b576981a6c6bf02b86764758c2bf4008ae6387f558a7c4
> ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 0 2
> b7b3d2036ad1d77d6c187e1f3fd9de28fc3f74af725a48c242bebc8eb1c4af56b06747bb1622cb27ef696f8741d09066d640768f9caa944a8981da174752a058
> ;
> ; Depth: actual=1, wire=1
> ; Match = mail-in-1.numeezy.com
> ; Subject = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification
> Authority,O=StartCom Ltd.,C=IL
> ; Issuer = CN=StartCom Certification Authority,OU=Secure Digital
> Certificate Signing,O=StartCom Ltd.,C=IL
> ; Valid from 2015-12-16T01:00:05Z until 2030-12-16T01:00:05Z
> ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 1
> d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166
> ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 0 1
> ea4e5d2b9c99560f13dd094b8121a623bfdd902038dfd6d772ce32ffabec094d
> ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 2
> d26da4f0733b1f4af61f9db3c0e5bd6e379022e41038cb2cf7f38e273bdcaf98e0afd9b119e0fd85b090afec3d46020cbaee0158015666360ccc73418a0d3794
> ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 0 2
> 6a4bd383b21927f44f09263819d2917edbd8a8ea58d97dac48c26a1e88e5c7062691366f79300705da4b68b5bf9153477241f7603faf4ac03d1cde69abaef328
>
> numeezy.com. IN MX 5 mail-in-2.numeezy.com.
> numeezy.fr. IN MX 5 mail-in-2.numeezy.com.
> medialta.com. IN MX 5 mail-in-2.numeezy.com.
> medialta.fr. IN MX 5 mail-in-2.numeezy.com.
> medialta.eu. IN MX 5 mail-in-2.numeezy.com.
> mail-in-2.numeezy.com. IN A 37.59.203.174 ; passed
> _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1
> 8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e ; passed at
> depth=0
> ;
> ; Depth: actual=0, wire=0
> ; Subject = CN=mail-in-2.numeezy.com,O=Numeezy
> SARL,L=PARIS,ST=Ile-de-France,C=FR
> ; Issuer = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification
> Authority,O=StartCom Ltd.,C=IL
> ; Valid from 2016-05-17T12:39:52Z until 2019-05-17T12:39:52Z
> ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1
> 8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e
> ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 0 1
> c49354b6b553fed27d8b66aa42a7be4f18d8979e5c6260bd62d174051fb58b3a
> ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 2
> 7292aba36d879109a7ef70143ca3dc499c7774b693f4e6f9392ccb8b365b084cf583ee2533d4987582d8e8626c7f4d894826f3df0e686c07c201a5af08020b86
> ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 0 2
> cd703c0fd747873a29d6467dc6e18fc7334a94918e59d9c6a9ba7320f1c8aea8473fe8d1edac9f3e2e7d6099eb17231832c5cc013500340be22c3830e91a21a2
> ;
> ; Depth: actual=1, wire=1
> ; Match = mail-in-2.numeezy.com
> ; Subject = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification
> Authority,O=StartCom Ltd.,C=IL
> ; Issuer = CN=StartCom Certification Authority,OU=Secure Digital
> Certificate Signing,O=StartCom Ltd.,C=IL
> ; Valid from 2015-12-16T01:00:05Z until 2030-12-16T01:00:05Z
> ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 1
> d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166
> ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 0 1
> ea4e5d2b9c99560f13dd094b8121a623bfdd902038dfd6d772ce32ffabec094d
> ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 2
> d26da4f0733b1f4af61f9db3c0e5bd6e379022e41038cb2cf7f38e273bdcaf98e0afd9b119e0fd85b090afec3d46020cbaee0158015666360ccc73418a0d3794
> ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 0 2
> 6a4bd383b21927f44f09263819d2917edbd8a8ea58d97dac48c26a1e88e5c7062691366f79300705da4b68b5bf9153477241f7603faf4ac03d1cde69abaef328
>
> You have three year certificates, that may well be "too long", in
> 3 years time you'll forget you have DANE TLSA records that need to
> change when you change your private/public key pair. Also after
> three years you'll probably want a new private key.
>
> Carefully document the correct certificate rollover procedure and
> required DNS updates in README files in the directories where the
> certificates are kept and reference them in the main.cf file or
> other configuration files that use those certificates.
>
