On Thu, Jun 27, 2024 at 02:13:25PM +0200, Gerd Hoerst via Postfix-users wrote:
> Thanx ! Works Nope, sorry, you've rather failed to read and understand those docs. > Am 27.06.24 um 13:29 schrieb Viktor Dukhovni via Postfix-users: > > > BTW: where to get the cert from to generate the 2 1 1 enty for DNS ? > > > > -https://list.sys4.de/hyperkitty/list/dane-us...@list.sys4.de/message/ZTM3XQMI3XP7PWMWJTXBYDPVU4UENE24/ > > -https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Publishing just "R10" will soon fail, when you get a cert from "R11" or one of the backup issuers R12, R13 or R14. You MUST publish them all to avoid sudden breakage surprises. And if you don't have monitoring of their correctness against the live certificate chain, you should not publish any TLSA records. Inbound DANE is not for dilettantes, either you do it right, or you're only making problems for yourself and others. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org