Re: [exim] Exim & DANE .. status ?

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Exim & DANE .. status ?
On Tue, May 22, 2018 at 12:30:23PM -0400, Viktor Dukhovni via Exim-users wrote:

> One small correction to the text below:
>
>    https://tools.ietf.org/html/rfc7671#section-5.2.2


Perhaps another tweak would be useful, in the below:

    At the time of writing, https://www.huque.com/bin/gen_tlsa is
    useful for quickly generating TLSA records; and commands like


      $ openssl x509 -in -pubkey -noout <certificate.pem \
        openssl rsa -outform der -pubin 2>/dev/null \
        openssl sha512 \
        awk '{print $2}'


it should be emphasized that this generates hashes for "3 1 2" TLSA
records. I don't think that "3 1 2" is warranted at present and
DNS packet sizes should be kept as small as possible to avoid issues
with dropped UDP fragments. So I would instead recommend "3 1 1",
i.e. a "sha256" rather than "sha512" hash. The command would be
(no longer RSA-specific, at the cost of requiring OpenSSL 1.0.0
or later):

    $ fqdn=$(uname -n) # or some manually entered name
    $ hash="$(
    openssl x509 -in -pubkey -noout -in certificate.pem |
    openssl pkey -pubin -outform der |
    openssl dgst -sha256 -binary |
    hexdump -ve '/1 "%02x"'
      )"
    $ empty=$(
        openssl dgst -sha256 -binary </dev/null |
    hexdump -ve '/1 "%02x"'
      )"
    $ if [ "$hash" != "$empty" ]; then
        printf "_25._tcp.%s. IN TLSA 3 1 1 %s\n" "$fqdn" "$hash"
      fi


This also checks that the hash is not the hash of an empty input,
due to failure of "openssl x509" and/or "openssl pkey".

-- 
    Viktor.