ANN: DANE testing (sink at dane.sys4.de)
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Apr 9 02:04:00 CEST 2015
On Thu, Apr 09, 2015 at 01:14:19AM +0200, Benny Pedersen wrote:
> >If you need a DNSSEC-enabled destination to test your DANE setup, send a
> >message to sink at dane.sys4.de. It will accept your message and discard it.
> >
> >Check your log for a line "to dane.sys4.de". If it reads "Verified TLS
> >connection" (Postfix) your DANE setup works properly.
This tests outbound DANE settings in the Postfix SMTP client.
> posttls-finger example.org
This tests inbound DANE TLSA records in the Postfix SMTP server.
> >Apr 8 19:52:31 mail postfix/smtp[28741]: Verified TLS connection
> >established to dane.sys4.de[2001:1578:400:111::3:1]:25: TLSv1.2 with
> >cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> yes
>
> named.conf:
> dnssec-enable yes;
> dnssec-validation auto;
> dnssec-lookaside auto;
I don't recommend ISC DLV lookaside. This is obsolete.
> main.cf:
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
These are Postfix SMTP client settings.
> from then on just use posttls-finger without any options
>
> posttls-finger dane.sys4.de
Which are not tested by posttls-finger, it tests the DANE configuration
of remote domains, not the client settings of the local MTA which
it mostly does not use. (It does rely on the same working resolver).
--
Viktor.
More information about the dane-users
mailing list