On Tue, May 04, 2021 at 09:35:29PM +0200, Benny Pedersen wrote:
> rndc nta kolabsys.com
>
> After that I see that ssl gives untrusted, but mail to maillist is
> atleast delivered
>
> Should I resolve the untrusted part seen from
>
> posttls_finger lists.roundcube.net
It is not clear what you're asking, but kolabsys.com presently have
incorrect TLSA records, so it would be good to alert their postmaster
or users to the problem, so that it can be resolved:
https://stats.dnssec-tools.org/explore/?kolabsys.com
On Tue, May 04, 2021 at 10:15:00PM +0200, Benny Pedersen wrote:
> > | [T] kolabsys.com. 86400 IN DNSKEY 256 3 5 ;{id = 47193 (zsk), size =
> > 2048b}
>
> Warning I am not dnssec expert, but I think algo 5 is now deprecated
Though algorithm 5 is deprecated, it is still supported by mainstream
resolvers, so while they should be migrating to 8 or 13, there is no
urgent issue with use of 5.
https://tools.ietf.org/html/rfc8624#section-3.1
+--------+--------------------+-----------------+-------------------+
| Number | Mnemonics | DNSSEC Signing | DNSSEC Validation |
+--------+--------------------+-----------------+-------------------+
| 5 | RSASHA1 | NOT RECOMMENDED | MUST |
| 8 | RSASHA256 | MUST | MUST |
| 13 | ECDSAP256SHA256 | MUST | MUST |
--
Viktor.
