On Fri, Apr 25, 2014 at 02:35:55PM +, Eray Aslan wrote:
> For the record, looks like a typo in the script:
>
> --- tlsagen 2014-04-25 14:22:02.0 +
> +++ tlsagen 2014-04-25 13:50:17.0 +
Thanks, yes, this has since been fixed, and a few other improvements
made. Cur
On Sat, Dec 14, 2013 at 06:30:15PM +, Viktor Dukhovni wrote:
> Well, you're unlikely to have working TLSA RRs for your SMTP service
> just by happenstance. If you want to create a TLSA RRset for your
> SMTP server, run the attached "tlsagen" shell script as follows:
>
> $ tlsagen cert.pem
On Sat, Dec 14, 2013 at 08:53:14PM +, Viktor Dukhovni wrote:
> On Sat, Dec 14, 2013 at 02:35:15PM -0600, /dev/rob0 wrote:
>
> > > The trick is to find tools that make operating a DNSSEC zone
> > > relatively painless. You get security, but it easier to mess
> > > up leaving the zone with stal
John skrev den 2013-12-14 15:24:
An excellent idea, particularly as you are talking to the dumbest bit
of the horse at the moment.
if its dumbest its a donkey, not a horse :)
On Sat, Dec 14, 2013 at 04:16:08PM -0500, John wrote:
> Yes, unfortunately my .ca Registrar is not currently capable of
> handling DS or DNSKEY records so I am using the ISC dlv, It works
> for most things, but I assume from your comment that TLSA will
> require records at the .ca root. I have the
On 14/12/2013 1:30 PM, Viktor Dukhovni wrote:
On Sat, Dec 14, 2013 at 12:44:49PM -0500, John Allen wrote:
Just a thought, maybe there is a more appropriate forum/mail list to
discuss this on, as this is not strictly Postfix related?
It is fine to ask here, Postfix is the first real applicatio
On Sat, Dec 14, 2013 at 02:35:15PM -0600, /dev/rob0 wrote:
> > The trick is to find tools that make operating a DNSSEC zone
> > relatively painless. You get security, but it easier to mess
> > up leaving the zone with stale signatures and thus essentially
> > invisible to all DNSSEC-aware clients
On Sat, Dec 14, 2013 at 05:26:01AM +, Viktor Dukhovni wrote:
> On Sat, Dec 14, 2013 at 12:04:15AM -0500, John Allen wrote:
> > > The main difficulty with server-side DANE is that your zone
> > > must be DNSSEC signed. Deployment of DNSSEC is still fairly
> > > thin. With a bit of luck DANE m
On Sat, Dec 14, 2013 at 12:44:49PM -0500, John Allen wrote:
> >>Just a thought, maybe there is a more appropriate forum/mail list to
> >>discuss this on, as this is not strictly Postfix related?
> >
> >It is fine to ask here, Postfix is the first real application to
> >support DANE TLSA.
>
> Thank
On Sat, Dec 14, 2013 at 08:31:10AM -0500, John wrote:
DANE TLSA records allow sites to independently create leaf and CA
certificates after first registering their DNSSEC key-signing-keys
with their DNS registrar. So in effect you do have a CA, but it
is your DNS registrar and they effectively m
On Sat, Dec 14, 2013 at 08:31:10AM -0500, John wrote:
> >DANE TLSA records allow sites to independently create leaf and CA
> >certificates after first registering their DNSSEC key-signing-keys
> >with their DNS registrar. So in effect you do have a CA, but it
> >is your DNS registrar and they eff
On 14/12/2013 8:37 AM, Wietse Venema wrote:
.
Does this do anything to solve "Man in the middle" who presents an
apparently valid cert (usually generated on the fly)? Because I thought
the only way to detect this was to compare the finger print of the key
presented with the know finger print.
John:
> > - DNSSEC: a man-in-the-middle hardened means of publishing DNS data.
> >
> > - DANE: an IETF working group to develop standards for using DNSSEC
> >to publish authentication information (public keys and the like)
> >that binds DNS names to corresponding credentia
On 14/12/2013 12:26 AM, Viktor Dukhovni wrote:
On Sat, Dec 14, 2013 at 12:04:15AM -0500, John Allen wrote:
The main difficulty with server-side DANE is that your zone
must be DNSSEC signed. Deployment of DNSSEC is still fairly thin.
With a bit of luck DANE might motivate folks
On Sat, Dec 14, 2013 at 12:04:15AM -0500, John Allen wrote:
> > The main difficulty with server-side DANE is that your zone
> > must be DNSSEC signed. Deployment of DNSSEC is still fairly thin.
> > With a bit of luck DANE might motivate folks to consider DNSSEC.
>
> My interest in TLS
On 13/12/2013 3:50 PM, Viktor Dukhovni wrote:
On Fri, Dec 13, 2013 at 03:11:38PM -0500, John Allen wrote:
Does anybody know of a good,but simple write up on DANE and TLSA.
It has to be simple enough for me to understand (assume idiot).
An explanation of what DANE TLSA is for[*]?
Or how to set
On Fri, Dec 13, 2013 at 03:11:38PM -0500, John Allen wrote:
> Does anybody know of a good,but simple write up on DANE and TLSA.
> It has to be simple enough for me to understand (assume idiot).
An explanation of what DANE TLSA is for[*]?
Or how to set up a Postfix to work with it?
If the latter
17 matches
Mail list logo
