Although there are better alternatives to 2 1 1 with Let's Encrypt, some
still use 2 1 1, and it seems Exchange Online is not happy when there
are 14 TLSA records (why 14? because
https://letsencrypt.org/certificates/)... A good reason to not use 2 1 1
; TLSA - LE certs published at https
Apparently exchange online would provide an error to the user like this:
dnssec-invalid: Destination domain returned invalid DNSSEC records
https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/ndr/non-delivery-reports-in-exchange-online
explains what this really means:
The d
On Mon, Jun 10, 2024 at 12:06:26PM +0200, Kirill Miazine via mailop wrote:
> Although there are better alternatives to 2 1 1 with Let's Encrypt, some
> still use 2 1 1, and it seems Exchange Online is not happy when there are 14
> TLSA records (why 14? because https://letsencrypt.org/certificates/
Moin,
are you sure the RRset is not inadvertently bogus? Can slip by rather
easily for a set of reasons; Old RRSIGs vor example after one of the
entries got updated?
If not; Out of personal curiosity; can you test where 'the boundary' is
to trigger the error? should be doable with like 4 test doma
On Mon, Jun 10, 2024 at 10:06:26PM +1000, Viktor Dukhovni via mailop wrote:
> > Although there are better alternatives to 2 1 1 with Let's Encrypt, some
> > still use 2 1 1, and it seems Exchange Online is not happy when there are 14
> > TLSA records (why 14? because https://letsencrypt.org/certif
• Viktor Dukhovni via mailop [2024-06-10 22:06]:
> On Mon, Jun 10, 2024 at 12:06:26PM +0200, Kirill Miazine via mailop wrote:
>
> > Although there are better alternatives to 2 1 1 with Let's Encrypt, some
> > still use 2 1 1, and it seems Exchange Online is not happy when there are 14
> > TLSA rec
• Tobias Fiebig via mailop [2024-06-10 14:09]:
> Moin,
> are you sure the RRset is not inadvertently bogus? Can slip by rather
> easily for a set of reasons; Old RRSIGs vor example after one of the
> entries got updated?
no. LE TLSA RRs are generated automatically based on URL lists, so there
are
[ Also sent to draft-brand-indicators-for-message-identificat...@ietf.org ]
https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/05/
7.8. Handle Existing BIMI-Location and BIMI-Indicator Headers
says:
If the original email message had a DKIM signature, it has a
Apologies for jumping in, and it may not be relevant, but our experience has
been that, unlike Google and others, Microsoft will DNSSEC fail an email if the
sending server's hostname does not have its subdomain DNSSEC signed and keys
provisioned in public DNS -- even when the envelope and sender
