On Wed, Jan 07, 2015 at 02:29:51PM -0600, John Hascall wrote:
> On what what basis would we decide between a single TLSA record for the MX
> vs. individual TLSA records for each actual host?
Frankly, I don't see much point in load-balancers in front of
inbound port 25 MX hosts. So I'd publish a multi-host MX RRset,
and use the load-balancer for some other protocol that needs it.
example.com. IN MX 0 mx1.example.com.
mx1.example.com. IN A 192.0.2.1
_25._tcp.mx1.example.com. IN TLSA 3 1 1 <digest of mx1's public key>
;
example.com. IN MX 0 mx2.example.com.
mx2.example.com. IN A 192.0.2.2
_25._tcp.mx2.example.com. IN TLSA 3 1 1 <digest of mx2's public key>
;
...
;
example.com. IN MX 0 mx9.example.com.
mx9.example.com. IN A 192.0.2.9
_25._tcp.mx9.example.com. IN TLSA 3 1 1 <digest of mx9's public key>
> Is it that there some
> intrinsic advantage in having individual records vs. the effort of creating
> N records? Or is it something else?
With a single key and TLSA RRset for all the MX hosts, a single
mistake breaks them all. The load-balancer won't help. With
separate records for each MX, and decoupled key rotation cycles,
you're much less likely to break all the MX hosts in a single
negligent act.
There is no single right answer, you consider the pros and cons.
--
Viktor.
