Setting up Dane again from start

Viktor Dukhovni ietf-dane at
Wed Feb 11 17:55:31 CET 2015

On Wed, Feb 11, 2015 at 12:59:01PM +0100, Frank Fiene wrote:

> This should work for pop3s and imaps, too, shouldn?t it?
> What is about pop3 and imap with TLS, the same?

For a shared key for multiple services that use distinct protocols:     IN TLSA 3 1 1 <sha256 SPKI digest>  IN CNAME IN CNAME IN CNAME IN CNAME IN CNAME

This only makes sense if you need the certificate to be from a
public CA trusted by some SMTP/IMAP/POP clients.  For port 25, you
should just go with a distinct self-signed key.  Not sharing keys
avoids simultaneously breaking all the services that share that key
when a mistake is made during key rotation.

To generate the "3 1 1" SPKI digest:

    printf '_dane.%s. IN TLSA 3 1 1 %s\n' \ \
        $(openssl x509 -in cert.pem -noout -pubkey |
            openssl pkey -pubin -outform DER |
            openssl dgst -sha256 -binary |
            hexdump -ve '/1 "%02x"')

* Never make the mistake of using a certificate digest with a "3 1 1"
  TLSA record or an SPKI (i.e. SubjectPublicKeyInfo or, in other words,
  the public key algorithm id, parameters and key bits) digest with
  a "3 0 1" TLSA record.

* Never make the mistake of installing a new key or certificate without
  following the TLSA record update process described in:


More information about the dane-users mailing list