Hi!
Since I’m having now DNSSEC I want to use DANE as well.
I have found Viktor’s article
https://mailarchive.ietf.org/arch/msg/uta/SR2EKnnj8749AtVeIvjEEEXz7fg
(about web.de) with other links.
My postfix has two certificates/keys (RSA and ECDSA) from Let’s encrypt.
It says in the article:
mx.example. IN TLSA 3 1 1 <digest of server public key>
mx.example. IN TLSA 2 1 1 <digest of immediate issuer public key>
* The „3 1 1” record protects against „expiration” accidents, and
unexpected changes in the issuer’s public key (if new certificate chain
deployment is automated).
* The „2 1 1” record protects against key rotation errors should a new
server private key be deployed without updating the TLSA RRs. Provided
the new certificate is issued by the same CA is unexpired,… the „2 1 1”
record will match.
My questions:
1. Can I have two „3 1 1” records for RSA and ECDSA?
2. Is „digest of immediate issuer public key” the CA from Let’s encrypt
Or the „Digital Signature Trust” CA?
Would be nice if someone could help me.
Many greetings,
Stephan
--
| If your life was a horse, you'd have to shoot it. |
