On Sun, Dec 15, 2013 at 06:41:22PM +0100, Patrick Ben Koetter wrote:
> Having followed recent DANE discussions on terminology I have to agree it
> isn't really intuitive and I've come to ask for help setting up
> a correct TLSA RR.
>
> I've used your tlsagen script to create a TLSA RR and updated the ZONE. Now I
> get a warning that says: "warning: ca-constraint trust-anchor sha256 digests
> disabled, in RR: _25._tcp.mail.sys4.de IN TLSA 0 1 1 .."
>
> Can you please help me understand why the warning is given?
You are trying to specify DANE TLSA "certificate usage 0". This
is invalid for SMTP:
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-04#section-2.2.1.3
http://www.postfix.org/TLS_README.html#client_tls_dane
What certificate public key did you fingerprint? Your root CA
certificate, or your server certificate? Why did you specify usage 0?
--
Viktor.
