On 14/6/2019 21:20, Viktor Dukhovni wrote:
On Fri, Jun 14, 2019 at 06:22:55PM +0300, Lefteris Tsintjelis wrote:Best to create the DNS record from the public certificate.No, actually, best to create from the public key. https://github.com/danefail/list/issues/47#issuecomment-456623996
Yes, thank you Viktor, exactly like that. 3 1 1 is the best way to do it. No need for any "known CAs" with this method.
Is there a way to check from logs or headers if DANE was used (un)successfully and possibly monitor the method as well?
smime.p7s
Description: S/MIME Cryptographic Signature
