January 31, 2021 10:29 PM, "Viktor Dukhovni" <postfix-us...@dukhovni.org> wrote:
> On Sun, Jan 31, 2021 at 07:15:05PM +0100, Patrick Proniewski wrote: > >> fixed: >> >> $ telnet mail.patpro.net 25 >> Trying 193.30.227.216... >> Connected to mail.patpro.net. >> Escape character is '^]'. >> 220-rack.patpro.net Do not say anything yet > > You might also throw "ESMTP" in there: > > 220-hostname.example ESMTP ... Will fix. > but more importantly, your DNSSEC implementation is FUBAR: > > https://dnsviz.net/d/patpro.net/X0FcgA/dnssec Yeah. Something is not right here and I have no clue how it went so bad. I've touched nothing since I've created the dnssec config 3-4 years ago, until less than a year ago dnsviz.net was giving me an all-green status IIRC. I've chosen to go with huge keys from the start to be "future proof", not so smart I guess. What would be the main steps to renew keys with best practice in mind (algorithm 13 with ECDSA P256 keys)? I'm trying and find a good how-to but most are quite old and/or focus on initial setting only. I've ditched the ns6.gandi.net secondary DNS for now, will add it back later when my config will be "all green" again. thanks patpro
