On Wed, Jan 07, 2015 at 02:07:25PM -0600, John Hascall wrote: > Assume I have a domain with DNSSEC and inbound mail servers behind a > (load-balanced) MX which support TLS.
With All of the MX hosts having the same private key and certificate: > If I've been following along correctly, if I publish a DNS record of the > form: > > _25._tcp.mx.example.org. IN TLSA 3 1 1 *<sha2-256 digest of DER leaf public > key in X.509 SPKI format>* Or else multiple such TLSA RRs one per real MX host behind the load-balancer, if the number of back-end hosts is reasonably small. > this will make some (currently smallish?) set of mail servers sending to me > have a better assurance they are really talking to me. > Is this correct? Yes, and definitely smallish. Basically folks running Postfix 2.11 with: smtp_dns_support_level = dnssec smtp_tls_security_level = dane and a validating resolver on 127.0.0.1 as the only entry in /etc/resolv.conf I have no count of sites that implement client-side DANE, I can only survey the domains that publish TLSA RRs for such sites to use. > And does "*leaf public key" *refer to the public key associated with the > cert used for STARTTLS or ...something else...? The former: printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' \ $(uname -n) \ $(openssl x509 -in cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"') -- Viktor.