What would you like to read about DANE on the test site?

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jan 16 19:28:47 CET 2015

On Fri, Jan 16, 2015 at 10:41:27AM +0100, Markus Benning wrote:

[ Postfix-specific topic, if you're not a Postfix user, you can
  safely ignore this sub-thread. ]

> > Outgoing TLS trust-level
> > ------------------------
> >    2289   Untrusted
> >     914   Verified
> >     235   Trusted
> As far as i understand the docs with tls_security_level=dane it should
> mean:
>  Verified - DANE okay (or explicit policy map)
>  Trusted - CA signed certificate
>  Untrusted - unknown CA, selfsigned...
> http://www.postfix.org/FORWARD_SECRECY_README.html

There's also "Anonymous".  As for DANE, if the destination has TLSA
records, you'll see "Verified" when it works, and "Untrusted" when
it fails.

With the other security levels, you'll sometimes see "Trusted",
when the chain is issued by a trusted CA (if you've configured
any), but either peer checks fail or authentication is not required
("encrypt" or "may").


More information about the dane-users mailing list