Viktor (I guess..), having followed recent DANE discussions on terminology I have to agree it isn't really intuitive and I've come to ask for help setting up a correct TLSA RR.
I've used your tlsagen script to create a TLSA RR and updated the ZONE. Now I get a warning that says: "warning: ca-constraint trust-anchor sha256 digests disabled, in RR: _25._tcp.mail.sys4.de IN TLSA 0 1 1 .." Can you please help me understand why the warning is given? Thanks p@rick posttls-finger -F /etc/ssl/certs/ca-certificates.crt sys4.de posttls-finger: warning: ca-constraint trust-anchor sha256 digests disabled, in RR: _25._tcp.mail.sys4.de IN TLSA 0 1 1 ... posttls-finger: Connected to mail.sys4.de[194.126.158.139]:25 posttls-finger: < 220 mail.sys4.de ESMTP Postfix posttls-finger: > EHLO mail.state-of-mind.de posttls-finger: < 250-mail.sys4.de posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 40960000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: mail.sys4.de[194.126.158.139]:25: Matched subjectAltName: mail.sys4.de posttls-finger: mail.sys4.de[194.126.158.139]:25 CommonName mail.sys4.de posttls-finger: mail.sys4.de[194.126.158.139]:25: subject_CN=mail.sys4.de, issuer_CN=RapidSSL CA, fingerprint=6C:6C:5B:6A:46:C8:E1:BB:6D:5A:A5:D6:36:B3:6C:20:15:4B:67:BF, pkey_fingerprint=4E:7B:8C:18:93:9A:7B:18:4B:4A:41:D7:25:0B:A9:1A:EB:2B:45:A1 posttls-finger: Verified TLS connection established to mail.sys4.de[194.126.158.139]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) posttls-finger: > EHLO mail.state-of-mind.de posttls-finger: < 250-mail.sys4.de posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 40960000 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
