ANN: DANE testing (sink at

Viktor Dukhovni ietf-dane at
Thu Apr 9 02:04:00 CEST 2015

On Thu, Apr 09, 2015 at 01:14:19AM +0200, Benny Pedersen wrote:

> >If you need a DNSSEC-enabled destination to test your DANE setup, send a
> >message to sink at It will accept your message and discard it.
> >
> >Check your log for a line "to". If it reads "Verified TLS
> >connection" (Postfix) your DANE setup works properly.

This tests outbound DANE settings in the Postfix SMTP client.

> posttls-finger

This tests inbound DANE TLSA records in the Postfix SMTP server.

> >Apr  8 19:52:31 mail postfix/smtp[28741]: Verified TLS connection
> >established to[2001:1578:400:111::3:1]:25: TLSv1.2 with
> >cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> yes
> named.conf:
> dnssec-enable yes;
> dnssec-validation auto;
> dnssec-lookaside auto;

I don't recommend ISC DLV lookaside.  This is obsolete.

> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane

These are Postfix SMTP client settings.

> from then on just use posttls-finger without any options
> posttls-finger

Which are not tested by posttls-finger, it tests the DANE configuration
of remote domains, not the client settings of the local MTA which
it mostly does not use.  (It does rely on the same working resolver).


More information about the dane-users mailing list