* on the Tue, Mar 04, 2014 at 10:42:27PM +0000, Viktor Dukhovni wrote:
> but all the levels other than "dane" don't scale beyond a handful
> of peer sites. The "dane" level can scale, but at this time there
> are essentially no domains that have DNSSEC sized zones with TLSA
> records for SMTP (a total ~20 domains).
>
> Please help grow DANE adoption by implementing DNSSEC on your domain
> and publishing TLSA records (only once you understand how to keep
> these working properly with key rotation, we want DANE to work
> reliably for all receiving domains that commit to authenticated
> TLS by publishing TLSA records). So most users should wait 6-12
> months, by which time the standards will be better defined, and
> more deployment documentation will be available, maybe even an
> implementation in Exim. Early adopters strongly familiar with
> DNSSEC, TLS, and so on can deploy now.
I've had DANE on
https://grepular.com/ for a while now. I recently
added it to my MX for grepular.com too. However, I am not aware of
anyone else using it with SMTP, so it would be good to get some sort
of confirmation that I am doing it correctly, or incorrectly.
Just to confuse matters a little, the AAAA record for my primary MX
points to a completely different machine than the A record, both
present different certificates (from Startssl.com), both with
different CN's, neither of which match the MX name. I have two
separate DANE records to deal with that. I assume that the fact that
only one of the two DANE records matches the cert presented is fine
as it's the same as what happens during key rollovers in DNSSEC and
would be necessary in some common configurations anyway.
Anyway, this isn't particularly Exim related, but if people want
to test my odd DANE setup, when implementing DANE in Exim or
elsewhere, feel free to poke me about it.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4