Setting up Dane again from start

Carsten Strotmann (sys4) cs at sys4.de
Wed Feb 11 12:34:04 CET 2015


Hello Frank,

Frank Fiene wrote:
> 3.) Our DNS provider has added this to the domain and has signed it again (no idea why there is a blank!).
> 	_*._tcp.mail.veka.com.	3600	IN	TLSA	3 0 1 04459A87D803EE5D2450114C09E8370DC51B27716431378CFA5560E1 53AED957

this is an incorrect use of an DNS wildcard.

See http://www.ietf.org/rfc/rfc4592

The asterisk must be the leftmost character in the domain name, an
asterisk inside a domain name is just that, an asterisk. The TLSA record
above does not match port 25.

The record
*._tcp.mail.veka.com.	3600	IN	TLSA	
would be valid, it would match all ports on the machine mail.veka.com,
but I'm not sure if that is useful.

Best regards

Carsten Strotmann

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 883 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150211/7490d0d5/attachment.pgp>


More information about the dane-users mailing list