On Thu, May 11, 2023 at 03:17:21PM +0900, Byung-Hee HWANG via Postfix-users <postfix-users@postfix.org> wrote:
> Hellow Postfix hackers, > > I have a questions while reading DANE docs. Is DNSSEC mandotary? For > making DANE mail server. > > For now i'm running two postfix servers in public. Actually i'm beginner > in both DANE and DNSSEC. > > Any comments welcome! > > Sincerely, Byung-Hee Hi Byung-Hee, As others have said, if you want incoming DANE, you need DNSSEC. Bind9 makes it incredibly easy to enable DNSSEC. It's literally two extra lines in your configuration (unless you get fancy with automatic expiry and rollover - and that's easy too), plus you need to supply some information to your domain registrar for them to put into their servers. If your domain registrar doesn't support DNSSEC, or doesn't make it easy, find one that does. You'll need to interact with them every time you rollover your DNSSEC keys (e.g., maybe annually). As for the TLSA records you need to create for your mail servers, I recommend my "danectl" program which can generate TLSA records for you to publish in the DNS, and you can use it to monitor that they have been published. Recent versions include a couple of adapters to help publish the TLSA records in the DNS, but only if you edit your own bind9 zone files or use nsupdate for a dynamic zone. A big prerequisite of danectl is certbot to handle the actual key/certificate generation. danectl doesn't work with any other ACME client. There are technically many ways to do TLSA DANE but only one great way (TLSA 3 1 1 current + next) which is what danectl supports. The idea is to always have two keys/certificates and their corresponding TLSA records available for use all the time: the current one, and the next one. Whenever you want to rollover your key, you can immediately switch to the next one which is already published in the DNS and ready to go while you prepare the new next key/certificate and its corresponding TLSA record (for the next rollover). This ensures that every rollover works seamlessly because you never have the situation where things aren't working while your TLSA records are propagating around the DNS because they were published well before they were required. Here are some wikis that might help: https://github.com/baknu/DANE-for-SMTP/wiki https://github.com/internetstandards/toolbox-wiki cheers, raf _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
