Setting up Dane again from start

Frank Fiene ffiene at
Wed Feb 11 12:07:40 CET 2015


just from start i did the following steps:

1.) Our DNS provider has secured the domain with DNSSEC:

2.) I’ve computed "openssl x509 -in -outform DER | openssl sha256“ the 256bit hash from the complete certificate chain which is used by Postfix as well.

3.) Our DNS provider has added this to the domain and has signed it again (no idea why there is a blank!).
	_*	3600	IN	TLSA	3 0 1 04459A87D803EE5D2450114C09E8370DC51B27716431378CFA5560E1 53AED957

4.) I am still getting the error

In TLSA 3 0 1 should be correct, right? I ma using the whole certificate chain for the hash, the same certificate file i’ve configured within Postfix.
_* should be also working!

So what might be the problem now?

Kind regards!
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

Dieselstr. 8
48324 Sendenhorst

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the dane-users mailing list