On Fri, Apr 25, 2014 at 02:35:55PM +0000, Eray Aslan wrote:
> > $ tlsagen cert.pem $(uname -n) DANE-EE PKEY SHA2-256
> > _25._tcp.mail.example.com IN TLSA 3 1 1 {hex string}
>
> For the record, looks like a typo in the script:
Oh, and by the way, I see your domain has working TLSA RRs. I now
know of 18 domains with working TLSA records for their MX hosts
(but two of them are mine). That list is a bit short. :-( I'm
helping the ietf.org administrator to implement STARTTLS and TLSA
records, so that'll be 19 soon.
If anyone else on this list has a DNSSEC signed domain and adds MX
host TLSA records, please feel free to drop me a note. I'll connect
to your domain from my home network a few times a year to test DANE
interoperability, you will not be exposed to any noticeable load,
nor any unwanted email messages, the connection will just complete
a TLS handshake, send "QUIT" and disconnect. (A test with
posttls-finger).
--
Viktor.
