Re: Test DANE

2016-06-07 Thread Viktor Dukhovni
> On Jun 7, 2016, at 2:46 AM, Alice Wonder wrote: > > > Isn't generally better to use a new private key? Not if doing so makes it impractical to maintain correct TLSA records. Specifically, if certificate renewals are frequent and automated, it becomes difficult to pre-stage new keys and assoc

Re: Test DANE

2016-06-06 Thread Alice Wonder
On 06/06/2016 07:46 AM, Viktor Dukhovni wrote: On Mon, Jun 06, 2016 at 03:58:51PM +0200, Alexandre Ellert wrote: I�ve juste enable DANE and https://dane.sys4.de is green when I test my domain numeezy.com . Also postfix SMTP client says "Verified T

Re: Test DANE

2016-06-06 Thread Viktor Dukhovni
On Mon, Jun 06, 2016 at 08:36:09PM +0200, Tom Hendrikx wrote: > > I did some further research. It seems that validns does not like this > > construct, because it insists that TLSA records are 'properly prefixed' > > (i.e. with a port and service prefix, see [1]). > > Insists, as a policy check, w

Re: Test DANE

2016-06-06 Thread Tom Hendrikx
On 06-06-16 17:46, Viktor Dukhovni wrote: > On Mon, Jun 06, 2016 at 05:31:49PM +0200, Tom Hendrikx wrote: > >> I have been playing around with the dane check tool from sys4 too, and >> it seems it doesn't support the nice CNAME trick shown in >> https://community.letsencrypt.org/t/please-avoid-3-0

Re: Test DANE

2016-06-06 Thread Tom Hendrikx
On 06-06-16 20:26, Tom Hendrikx wrote: > On 06-06-16 17:46, Viktor Dukhovni wrote: >> On Mon, Jun 06, 2016 at 05:31:49PM +0200, Tom Hendrikx wrote: >> >>> I have been playing around with the dane check tool from sys4 too, and >>> it seems it doesn't support the nice CNAME trick shown in >>> https:/

Re: Test DANE

2016-06-06 Thread Viktor Dukhovni
On Mon, Jun 06, 2016 at 05:31:49PM +0200, Tom Hendrikx wrote: > I have been playing around with the dane check tool from sys4 too, and > it seems it doesn't support the nice CNAME trick shown in > https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificat

Re: Test DANE

2016-06-06 Thread Alexandre Ellert
> Le 6 juin 2016 à 16:46, Viktor Dukhovni a écrit : > > On Mon, Jun 06, 2016 at 03:58:51PM +0200, Alexandre Ellert wrote: > >> I�ve juste enable DANE and https://dane.sys4.de >> is green when I test my domain numeezy.com . Also >> postfix SMTP clien

Re: Test DANE

2016-06-06 Thread Tom Hendrikx
Hi, I have been playing around with the dane check tool from sys4 too, and it seems it doesn't support the nice CNAME trick shown in https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 The tool does not seem to follow the CNAME pointer, and

Re: Test DANE

2016-06-06 Thread Viktor Dukhovni
On Mon, Jun 06, 2016 at 03:58:51PM +0200, Alexandre Ellert wrote: > I�ve juste enable DANE and https://dane.sys4.de > is green when I test my domain numeezy.com . Also > postfix SMTP client says "Verified TLS connection established to > mail-in-1.numee

Test DANE

2016-06-06 Thread Alexandre Ellert
Hello, I’ve juste enable DANE and https://dane.sys4.de is green when I test my domain numeezy.com . Also postfix SMTP client says "Verified TLS connection established to mail-in-1.numeezy.com[188.165.154.163]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-