ANN: DANE testing (sink at dane.sys4.de)
Benny Pedersen
me at junc.eu
Thu Apr 9 03:27:33 CEST 2015
Viktor Dukhovni skrev den 2015-04-09 02:04:
>> named.conf:
>> dnssec-enable yes;
>> dnssec-validation auto;
>> dnssec-lookaside auto;
>
> I don't recommend ISC DLV lookaside. This is obsolete.
changed to no, thanks for reminder, i knowed this but just forgot it was
depricated
>> main.cf:
>> smtp_dns_support_level = dnssec
>> smtp_tls_security_level = dane
>
> These are Postfix SMTP client settings.
yes but it helps when testing server imho, or is there a better way ?
>> from then on just use posttls-finger without any options
>>
>> posttls-finger dane.sys4.de
>
> Which are not tested by posttls-finger, it tests the DANE configuration
> of remote domains, not the client settings of the local MTA which
> it mostly does not use. (It does rely on the same working resolver).
not good ?, eg is testing own domains this way insecure in testing it
self ?, local or remote is no diff there ?
posttls-finger localhost
posttls-finger localhost.example.org
i tryed create a tlsa with
printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' $(uname -n) $(openssl x509 -in
cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl
dgst -sha256 -binary | hexdump -ve '/1 "%02x"')
but it failed for me after openssl upgrade to 1.0.1l
More information about the dane-users
mailing list