On Wed, Aug 18, 2021 at 02:32:51PM +1000, raf wrote:
> I guess the most pragmatic thing to do would be to only use DANE/TLSA
> for port 25 with self-signed certificates with self-automated rollovers,
> and use certbot-created certificates (without corresponding TLSA records)
> for everything else
On 8/24/21 19:23, Viktor Dukhovni wrote:
On 24 Aug 2021, at 7:58 pm, Matt Corallo wrote:
May be worth mentioning here that, sadly, Postfix does not support MTA-STS
currently.
The one implementation at https://github.com/Snawoot/postfix-mta-sts-resolver/
will reduce security rather than in
> On 24 Aug 2021, at 7:58 pm, Matt Corallo wrote:
>
> May be worth mentioning here that, sadly, Postfix does not support MTA-STS
> currently.
>
> The one implementation at
> https://github.com/Snawoot/postfix-mta-sts-resolver/ will reduce security
> rather than increase it as dual-MTA-STS-DAN
On 8/18/21 21:44, raf wrote:
They are into MTA-STS instead, as a way to prevent
downgrade attacks against mail servers.
SMTP MTA Strict Transport Security (MTA-STS)
https://tools.ietf.org/html/rfc8461 (Proposed Standard)
But that's all it does (assuming other mail servers are
paying atte
On 21. Aug 2021, at 01:57, Viktor Dukhovni wrote:
>> On 20 Aug 2021, at 4:59 pm, Michael Grimm wrote:
>> All of my domains are signed by KSK(13) and ZSK(13) and I do still rotate my
>> ZSK's every 90 days after my migration from DSA keys. If I do understand you
>> correctly, I could modify my
> On 20 Aug 2021, at 4:59 pm, Michael Grimm wrote:
>
> Thanks for that information I didn't think about before.
>
> All of my domains are signed by KSK(13) and ZSK(13) and I do still rotate my
> ZSK's every 90 days after my migration from DSA keys. If I do understand you
> correctly, I could
Viktor Dukhovni wrote:
> With ECDSA P256(13) as the DNSKEY (signature) algorithm, the incentive
> to rotate keys frequently (~90 days) is substantially lower, as the keys
> are strong enough to resist cryptographic attacks for years. The only
> practical risk is key disclosure.
Thanks for that
On Thu, Aug 19, 2021 at 01:11:37AM -0400, Viktor Dukhovni
wrote:
> On Thu, Aug 19, 2021 at 02:44:44PM +1000, raf wrote:
>
> > I just saw Viktor's reply about mx[1-4].smtp.goog,
> > and it looks like those domains are no longer signed:
> >
> > > host -t ds mx1.smtp.goog
> > mx1.smtp.goog ha
On Thu, Aug 19, 2021 at 02:44:44PM +1000, raf wrote:
> > Is google / gmail using it yet?
> > Last i knew they weren't using DNSSEC or DANE.
>
> Nope.
Actually, yes to some extent. See my more detailed response.
> But it's still a very small percentage overall.
I'm tracking ~15.8 million DNSSE
On Wed, Aug 18, 2021 at 10:03:06PM -0400, post...@ptld.com wrote:
> > The adoption of DNSSEC seems to have increased a lot in
> > the past 12 months (~30% increase).
>
> Is google / gmail using it yet?
> Last i knew they weren't using DNSSEC or DANE.
Nope.
> host -t ds google.com
google.com
On Wed, Aug 18, 2021 at 10:03:06PM -0400, post...@ptld.com wrote:
> > The adoption of DNSSEC seems to have increased a lot in
> > the past 12 months (~30% increase).
>
> Is google / gmail using it yet?
There are 4 GMail MX hosts that are not publicised by Google,
but are DNSSEC signed:
mx[1
On Wed, Aug 18, 2021 at 11:04:10AM +0200, Marcel de Riedmatten
wrote:
> Le mercredi 18 août 2021 à 17:45 +1000, raf a écrit :
> >
> > I'll need to find out how to replace one certificate
> > with the other as well.
>
> Keep in mind that both certificates will have a different path. It goes
> s
The adoption of DNSSEC seems to have increased a lot in
the past 12 months (~30% increase).
Is google / gmail using it yet?
Last i knew they weren't using DNSSEC or DANE.
On Wed, Aug 18, 2021 at 09:52:38PM +0200, Ralph Seichter
wrote:
> * raf:
>
> > If you don't mind having a key that lasts "forever", you only
> > need one(!) extra line in Bind's zone config, and one(!) manual
> > interaction with your domain registrar.
>
> Well, sort of. As per default setting
> On 18 Aug 2021, at 4:35 pm, Ralph Seichter wrote:
>
> I still use RSA keys (algorithm 8). My main point is that I find it more
> convenient to only roll ZSK, and to only place KSK data into the parent
> zone. The latter requires me to ask my hosting provider to manually
> update key material in
* Viktor Dukhovni:
> With ECDSA P256(13) as the DNSKEY (signature) algorithm, the incentive
> to rotate keys frequently (~90 days) is substantially lower [...]
I still use RSA keys (algorithm 8). My main point is that I find it more
convenient to only roll ZSK, and to only place KSK data into the
> On 18 Aug 2021, at 3:52 pm, Ralph Seichter wrote:
>
> Well, sort of. As per default settings, BIND does not appear to create a
> key signing key (KSK) / zone signing key (ZSK) pair, but instead one
> single key to sign each zone. That's sufficient from a technical
> perspective, but whenever th
* raf:
> If you don't mind having a key that lasts "forever", you only need
> one(!) extra line in Bind's zone config, and one(!) manual interaction
> with your domain registrar.
Well, sort of. As per default settings, BIND does not appear to create a
key signing key (KSK) / zone signing key (ZSK
Le mercredi 18 août 2021 à 17:45 +1000, raf a écrit :
>
> I'll need to find out how to replace one certificate
> with the other as well.
Keep in mind that both certificates will have a different path. It goes
so:
1) create the new certificate
2) add a TLSA record to the zone for the new key and
On Wed, Aug 18, 2021 at 08:53:40AM +0200, Marcel de Riedmatten
wrote:
> Le mercredi 18 août 2021 à 14:32 +1000, raf a écrit :
> >
> > It would be great if certbot supported multiple simultaneous
> > certificates
> > for a domain, so that the next certificate could be ready in advance.
> > Then
Le mercredi 18 août 2021 à 14:32 +1000, raf a écrit :
>
> It would be great if certbot supported multiple simultaneous
> certificates
> for a domain, so that the next certificate could be ready in advance.
> Then pre/post/deploy hooks could take care of everything fairly
> easily.
> But I might ha
On Tue, Aug 17, 2021 at 12:35:40PM -0400, Viktor Dukhovni
wrote:
> On Tue, Aug 17, 2021 at 06:12:04PM +1000, raf wrote:
>
> > If you use Debian stable, and ISC Bind, it has just
> > become really really easy to implement DNSSEC for your
> > domain(s).
>
> Indeed, BIND 9.16 makes it dramaticall
On Tue, Aug 17, 2021 at 06:12:04PM +1000, raf wrote:
> If you use Debian stable, and ISC Bind, it has just
> become really really easy to implement DNSSEC for your
> domain(s).
Indeed, BIND 9.16 makes it dramatically easier to sign your DNS zone and
keep it signed reliably. It automates ZSK roll
Hi,
If you'd like to point DANE at your postfix server,
today might be a good day to look into it. If not,
please ignore the rest of this post. And apologies if
this is all old news to you.
If you use Debian stable, and ISC Bind, it has just
become really really easy to implement DNSSEC for your
24 matches
Mail list logo
