On 14/6/2019 21:18, Viktor Dukhovni wrote: > > The use of private CAs with certificate usage DANE-TA(2) is specified > for SMTP and supported in Postfix, Exim, ... See: > > https://tools.ietf.org/html/rfc7671#section-5.2 > > The trust-anchor CA certificate MUST be included in your certificate > chain configuration for transmission to the SMTP client.
Should all the chain certificates be included, CA root and CA intermediate for example, as 2 1 1? I believe I saw somewhere that one of them should be enough(?). I have used CNAME to point to TLSA and https://dane.sys4.de/ seems to verify everything correctly. I am not certain though about how RFC "friendly" is to use CNAME to point to TLSA records? Can it be done safely? > Also see: > > https://tools.ietf.org/html/rfc7671#section-8.1 > https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html > https://github.com/danefail/list/issues/47#issuecomment-456623996 > > And talk slides/video at: > > https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources > > where I also discuss "2 1 1 + 3 1 1" key rotation. Really great and very informative DNSSEC and DANE links. Too bad all this is mostly for SMTP for now. It would have been really great to adopt DANE to more services but that could have very negative impact to the "well knowns" CAs. Lefteris
