Re: [exim] DNSSEC, TLSA, DKIM howto's

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] DNSSEC, TLSA, DKIM howto's
On Fri, Oct 10, 2014 at 11:43:06PM +0200, Mark Elkins wrote:

> I control both server and DNS. I went with:
>
> _25._tcp.mje99.posix.co.za. IN TLSA 3 0 1 {hexxy stuff}


Note however, that with the "za" TLD unsigned, most sites will not
be able to validate your zone keys/signature. At least my DNS
resolver is not using any DLV look-aside servers. So in effect
your domain looks like an unsigned non-DANE domain.


> I'm unsure of the middle digit...
> 0 = Full certificate
> 1 = SubjectPublicKeyInfo
> ... doesn't mean very much to me.


The digest can either cover the entire certificate, or just the
enclosed public key. I recommend the latter. Starting with
a certificate file, you can obtain the hex bits via:

    $ openssl x509 -in cert.pem -noout -pubkey |
    openssl pkey -pubin -outform DER |
    openssl dgst -sha256 | 
    awk '{printf "IN TLSA 3 1 1 %s\n", $NF}'


This is of course somewhat moot with "za" unsigned.

    http://stats.research.icann.org/dns/tld_report/


-- 
    Viktor.