On 14/12/2013 1:30 PM, Viktor Dukhovni wrote:
On Sat, Dec 14, 2013 at 12:44:49PM -0500, John Allen wrote:
Just a thought, maybe there is a more appropriate forum/mail list to
discuss this on, as this is not strictly Postfix related?
It is fine to ask here, Postfix is the first real application to
support DANE TLSA.
Thanks for the example I will run it against my own domains. That
and head over to the sites suggested by Wietse Venema.
Well, you're unlikely to have working TLSA RRs for your SMTP service
just by happenstance. If you want to create a TLSA RRset for your
SMTP server, run the attached "tlsagen" shell script as follows:
$ tlsagen cert.pem $(uname -n) DANE-EE PKEY SHA2-256
_25._tcp.mail.example.com IN TLSA 3 1 1 {hex string}
where "cert.pem" is the file with your Postfix SMTP server certificate,
and $(uname -n) is presumably the fully-qualified domain name of
the server as an MX host for your domain (otherwise use the actual name).
The shell script expects OpenSSL 1.0.0 or later, and will not work
with earlier versions.
Then add the generated RR to your DNS zone file. When rotating
keys (replacing your private key and cert) publish both the new
and old TLSA records in DNS well before deploying the new key
(allowing the old key to expire from client caches), then deploy
the new key/cert on the server. Once the server is using the new
key, you can update the DNS again to remove the old key from the
TLSA RRset.
The "posttls-finger" utility included with Postfix 2.11 snapshot
source code can verify DANE SMTP support for your domain:
$ posttls-finger your-domain.example
If your domain is "klam.ca", then it is not currently verifiable
via DNSSEC because there are no associated DS or DNSKEY RRs in the
"ca." parent zone. You'd have to get that taken care of via your
registrar before you expend further effort on DANE. Of course you
need to be sure that your zone signing automation is all in order
first.
Yes, unfortunately my .ca Registrar is not currently capable of handling
DS or DNSKEY records so I am using the ISC dlv, It works for most
things, but I assume from your comment that TLSA will require records at
the .ca root. I have the same problem with the other two domains where
Tucows is the registrar.
Ha well, we wouldn't be in this business if it were easy.
JohnA
