On 11/09/15 22:55, Viktor Dukhovni wrote: > I would also like to encourage more of the administrators on this > list to publish TLSA records, but keep in mind that this is an > operational commitment, not a fashion statement. Once you publish > TLSA records you MUST keep them accurate while performing future > key/certificate updates (or changing issuing CAs if you're using > DANE-TA(2) TLSA records).
[...] > If you can do that, please go ahead and publish TLSA records for > the MX hosts of your DNSSEC signed domains. If that's too complex > at this time, wait. The documentation and tools will improve, and > it is better to not publish at all than to publish broken records > that create problems for both senders (other domains) and receivers > (you). This is where I admit that I haven't gotten around to DNSSEC signing yet. But then, mine is a very small domain with only one external IP. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: 603.293.8485
