On Mon, Jun 17, 2019 at 05:33:16AM +0300, Lefteris Tsintjelis wrote: > > The trust-anchor CA certificate MUST be included in your certificate > > chain configuration for transmission to the SMTP client. > > Should all the chain certificates be included, CA root and CA > intermediate for example, as 2 1 1? I believe I saw somewhere that one > of them should be enough(?).
You publish "2 1 1" records for the CA(s) you actually trust, which is often an intermediate CA, rather than its issuing root CA. Whichever CA that is, the corresponding certificate must be part of the configured certificate chain transmitted to the TLS (SMTP in this case) client. > I have used CNAME to point to TLSA and https://dane.sys4.de/ seems to > verify everything correctly. I am not certain though about how RFC > "friendly" is to use CNAME to point to TLSA records? Can it be done safely? Yes. > > Also see: > > > > https://tools.ietf.org/html/rfc7671#section-8.1 > > https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html > > https://github.com/danefail/list/issues/47#issuecomment-456623996 > > > > And talk slides/video at: > > > > https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources > > > > where I also discuss "2 1 1 + 3 1 1" key rotation. > > Really great and very informative DNSSEC and DANE links. Thanks, spread the word... > It would have been really great to > adopt DANE to more services but that could have very negative impact to > the "well knowns" CAs. All in good time, they browser vendors (Google Chrome, Mozilla Firefox, ...) are not ready yet. -- Viktor.
