Setting up Dane again from start

Frank Fiene ffiene at veka.com
Wed Feb 11 18:20:32 CET 2015 

That DNS setup looks better, thx.

For this time i will go for the CA-signed certificate.


> Am 11.02.2015 um 17:55 schrieb Viktor Dukhovni <ietf-dane at dukhovni.org>:
> 
> On Wed, Feb 11, 2015 at 12:59:01PM +0100, Frank Fiene wrote:
> 
>> This should work for pop3s and imaps, too, shouldn?t it?
>> What is about pop3 and imap with TLS, the same?
> 
> For a shared key for multiple services that use distinct protocols:
> 
> 	_dane.mail.example.com.     IN TLSA 3 1 1 <sha256 SPKI digest>
> 	_25._tcp.mail.example.com.  IN CNAME _dane.mail.example.com.
> 	_110._tcp.mail.example.com. IN CNAME _dane.mail.example.com.
> 	_143._tcp.mail.example.com. IN CNAME _dane.mail.example.com.
> 	_587._tcp.mail.example.com. IN CNAME _dane.mail.example.com.
> 	_993._tcp.mail.example.com. IN CNAME _dane.mail.example.com.
> 
> This only makes sense if you need the certificate to be from a
> public CA trusted by some SMTP/IMAP/POP clients.  For port 25, you
> should just go with a distinct self-signed key.  Not sharing keys
> avoids simultaneously breaking all the services that share that key
> when a mistake is made during key rotation.
> 
> To generate the "3 1 1" SPKI digest:
> 
>    printf '_dane.%s. IN TLSA 3 1 1 %s\n' \
>        mail.example.com \
>        $(openssl x509 -in cert.pem -noout -pubkey |
>            openssl pkey -pubin -outform DER |
>            openssl dgst -sha256 -binary |
>            hexdump -ve '/1 "%02x"')
> 
> * Never make the mistake of using a certificate digest with a "3 1 1"
>  TLSA record or an SPKI (i.e. SubjectPublicKeyInfo or, in other words,
>  the public key algorithm id, parameters and key bits) digest with
>  a "3 0 1" TLSA record.
> 
> * Never make the mistake of installing a new key or certificate without
>  following the TLSA record update process described in:
> 
>    http://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.1
>    http://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.4
> 
> --
> 	Viktor.

Viele Grüße!
i.A. Frank Fiene
--
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at veka.com
http://www.veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150211/3fc5bd44/attachment.pgp>

More information about the dane-users mailing list