* Viktor Dukhovni <postfix-users@postfix.org>:
> On Sun, Dec 15, 2013 at 06:49:20PM +0000, Viktor Dukhovni wrote:
>
> > What certificate public key did you fingerprint? Your root CA
> > certificate, or your server certificate? Why did you specify usage 0?
>
> It sure looks like your TLSA RR contains the public digest of your
> server certificate, and yet you specified "certificate usage 0",
> rather than "certificate usage 3" which is the correct usage in
> this case. It would be helpful to know how you arrived at this
> choice.
This will fix the usage:
--- tlsagen_orig 2013-12-15 21:55:17.070898528 +0100
+++ tlsagen 2013-12-15 21:57:17.481758561 +0100
@@ -20,7 +20,7 @@
$/=undef;
($a=<STDIN>) =~ s/(.)/sprintf("%02X", ord($1))/egs;
printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n",
- $port, $host, $usage, $s, $m, $a;
+ $port, $host, $u, $s, $m, $a;
' "$@"
}
> and for the selectors:
>
> 1 - Certificate (draft Cert)
> 2 - Public-Key (draft SPKI)
draft-ietf-dane-ops-01 says:
The selector field specifies whether the TLSA RR matches the whole
certificate (Cert(0)) or just its subjectPublicKeyInfo (SPKI(1)).
Shouldn't it be this then?
0 - Certificate (draft Cert)
1 - Public-Key (draft SPKI)
That would correspond with tlsagen's current output on what I feed it.
p@rick
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
