Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt

Thu, 23 Jun 2022 13:47:57 -0700 

On Thu, Jun 23, 2022 at 01:42:46PM -0400, John R Levine wrote:

> Among the reasons that DANE in e-mail is less common is that it is tricky. 

DANE is only "tricky" when you're trying to integrate TLSA record
updates with ACME cert rollovers and don't configure key reuse.

Otherwise the same "3 1 1" record continues to work across cert
rollovers for multiple domains, regardless of the MX hostname used.
For example:

    digitalehuisbaas.be. IN MX 10 mail.digitalehuisbaas.be.
    mail.digitalehuisbaas.be. IN A 141.138.169.203
    mail.digitalehuisbaas.be. IN AAAA 2a03:3c00:a002:203::1001
    _25._tcp.mail.digitalehuisbaas.be. IN TLSA 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.digitalehuisbaas.be[141.138.169.203]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.digitalehuisbaas.be[2a03:3c00:a002:203::1001]: pass: TLSA match: 
depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb

    headshot.amsterdam. IN MX 10 mail.headshot.amsterdam.
    mail.headshot.amsterdam. IN A 141.138.169.226
    mail.headshot.amsterdam. IN AAAA 2a03:3c00:a002:226::1000
    _25._tcp.mail.headshot.amsterdam. IN TLSA 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.headshot.amsterdam[141.138.169.226]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.headshot.amsterdam[2a03:3c00:a002:226::1000]: pass: TLSA match: 
depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb

    creatievestudio.be. IN MX 10 mail.creatievestudio.be.
    mail.creatievestudio.be. IN A 141.138.169.210
    mail.creatievestudio.be. IN AAAA 2a03:3c00:a002:210::100d
    _25._tcp.mail.creatievestudio.be. IN TLSA 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.creatievestudio.be[141.138.169.210]: pass: TLSA match: depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb
      mail.creatievestudio.be[2a03:3c00:a002:210::100d]: pass: TLSA match: 
depth = 0
        name = webhostingserver.nl
          pkey sha256 [matched] <- 3 1 1 
e415b82b2e85867110f488617b98c9492cadf727b405eabea7d96e97744dfafb

    ... ~95 thousand more ...

-- 
    Viktor.

_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta

Reply via email to