Setting up Dane again from start

John john at klam.ca
Wed Feb 11 12:18:46 CET 2015


On 2/11/2015 6:07 AM, Frank Fiene wrote:
> Hi,
>
>
> just from start i did the following steps:
>
> 1.) Our DNS provider has secured the domain veka.com with DNSSEC: http://dnssec-debugger.verisignlabs.com/veka.com
>
> 2.) I’ve computed "openssl x509 -in mail.veka.com.crt -outform DER | openssl sha256“ the 256bit hash from the complete certificate chain which is used by Postfix as well.
> 	04459a87d803ee5d2450114c09e8370dc51b27716431378cfa5560e153aed957
>
> 3.) Our DNS provider has added this to the domain and has signed it again (no idea why there is a blank!).
> 	_*._tcp.mail.veka.com.	3600	IN	TLSA	3 0 1 04459A87D803EE5D2450114C09E8370DC51B27716431378CFA5560E1 53AED957
>
> 4.) I am still getting the error https://dane.sys4.de/smtp/veka.com
>
>
> In TLSA 3 0 1 should be correct, right? I ma using the whole certificate chain for the hash, the same certificate file i’ve configured within Postfix.
> _*._tcp.mail.veka.com. should be also working!
>
> So what might be the problem now?
>
>
> Kind regards!
> Frank
> --
> Frank Fiene
> IT-Security Manager VEKA Group
>
> Fon: +49 2526 29-6200
> Fax: +49 2526 29-16-6200
> mailto: ffiene at veka.com
> http://www.veka.com
>
> PGP-ID: 62112A51
> PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
> Threema: VZK5NDWW
>
> VEKA AG
> Dieselstr. 8
> 48324 Sendenhorst
> Deutschland/Germany
>
> Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
> Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
> Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
> HRB 8282 AG Münster/District Court of Münster
>
I am not 100% certain, but I don't think you can use _*.tcp...... I 
think it has to be an actual port. In this case _25._tcp. ma.......

-- 
John Allen
KLaM
------------------------------------------
we should be careful not to ascribe to malice what could equally be 
explained by incompetence.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150211/1e67156e/attachment.bin>


More information about the dane-users mailing list