ANN: DANE testing (sink at

Benny Pedersen me at
Thu Apr 9 03:27:33 CEST 2015

Viktor Dukhovni skrev den 2015-04-09 02:04:

>> named.conf:
>> dnssec-enable yes;
>> dnssec-validation auto;
>> dnssec-lookaside auto;
> I don't recommend ISC DLV lookaside.  This is obsolete.

changed to no, thanks for reminder, i knowed this but just forgot it was 

>> smtp_dns_support_level = dnssec
>> smtp_tls_security_level = dane
> These are Postfix SMTP client settings.

yes but it helps when testing server imho, or is there a better way ?

>> from then on just use posttls-finger without any options
>> posttls-finger
> Which are not tested by posttls-finger, it tests the DANE configuration
> of remote domains, not the client settings of the local MTA which
> it mostly does not use.  (It does rely on the same working resolver).

not good ?, eg is testing own domains this way insecure in testing it 
self ?, local or remote is no diff there ?

posttls-finger localhost

i tryed create a tlsa with

printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' $(uname -n) $(openssl x509 -in 
cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl 
dgst -sha256 -binary | hexdump -ve '/1 "%02x"')

but it failed for me after openssl upgrade to 1.0.1l

More information about the dane-users mailing list