Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

2024-06-10 Thread L. Mark Stone via mailop
m: "Kirill Miazine via mailop" | To: "tobias" | Cc: "mailop" | Sent: Monday, June 10, 2024 7:24:54 AM | Subject: Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE | • Tobias Fiebig via mailop [2024-06-10 14:09]: |> Moin, |>

Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

2024-06-10 Thread Kirill Miazine via mailop
• Tobias Fiebig via mailop [2024-06-10 14:09]: > Moin, > are you sure the RRset is not inadvertently bogus? Can slip by rather > easily for a set of reasons; Old RRSIGs vor example after one of the > entries got updated? no. LE TLSA RRs are generated automatically based on URL lists, so there are

Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

2024-06-10 Thread Kirill Miazine via mailop
• Viktor Dukhovni via mailop [2024-06-10 22:06]: > On Mon, Jun 10, 2024 at 12:06:26PM +0200, Kirill Miazine via mailop wrote: > > > Although there are better alternatives to 2 1 1 with Let's Encrypt, some > > still use 2 1 1, and it seems Exchange Online is not happy when there are 14 > > TLSA rec

Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

2024-06-10 Thread Viktor Dukhovni via mailop
On Mon, Jun 10, 2024 at 10:06:26PM +1000, Viktor Dukhovni via mailop wrote: > > Although there are better alternatives to 2 1 1 with Let's Encrypt, some > > still use 2 1 1, and it seems Exchange Online is not happy when there are 14 > > TLSA records (why 14? because https://letsencrypt.org/certif

Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

2024-06-10 Thread Tobias Fiebig via mailop
Moin, are you sure the RRset is not inadvertently bogus? Can slip by rather easily for a set of reasons; Old RRSIGs vor example after one of the entries got updated? If not; Out of personal curiosity; can you test where 'the boundary' is to trigger the error? should be doable with like 4 test doma

Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

2024-06-10 Thread Viktor Dukhovni via mailop
On Mon, Jun 10, 2024 at 12:06:26PM +0200, Kirill Miazine via mailop wrote: > Although there are better alternatives to 2 1 1 with Let's Encrypt, some > still use 2 1 1, and it seems Exchange Online is not happy when there are 14 > TLSA records (why 14? because https://letsencrypt.org/certificates/

Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

2024-06-10 Thread Kirill Miazine via mailop
Apparently exchange online would provide an error to the user like this: dnssec-invalid: Destination domain returned invalid DNSSEC records https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/ndr/non-delivery-reports-in-exchange-online explains what this really means: The d

[mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

2024-06-10 Thread Kirill Miazine via mailop
Although there are better alternatives to 2 1 1 with Let's Encrypt, some still use 2 1 1, and it seems Exchange Online is not happy when there are 14 TLSA records (why 14? because https://letsencrypt.org/certificates/)... A good reason to not use 2 1 1 ; TLSA - LE certs published at https