It appears that Viktor Dukhovni <uta@ietf.org> said: >On Thu, Jun 23, 2022 at 01:42:46PM -0400, John R Levine wrote: > >> Among the reasons that DANE in e-mail is less common is that it is tricky. > >DANE is only "tricky" when you're trying to integrate TLSA record >updates with ACME cert rollovers and don't configure key reuse.
Kind of. I use the same key for all of the certs for the many names that each of my mail servers have so I have one TLSA record and a lot of CNAMEs. That's probably bad practice for some reason but whatever. One tricky part is setting things up, ensuring that you know all the names the server has and that the certs are all issued and the TLSA or CNAME installed. The other tricky part is automating the renewals which requires either DNS API access or a hack with a web server with the same name as each mail server name. Neither is horribly difficult but they're things mail operators haven't had to do in the past. R's, John _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
