is this "normal" if not what to do about it?

Viktor Dukhovni ietf-dane at
Tue Jan 27 05:50:12 CET 2015

On Mon, Jan 26, 2015 at 11:25:58PM -0500, John wrote:

> Thanks for the reassurance.  I was not sure whether there was a problem or
> not. Every test I ran indicated that there was no problem, but being new and
> nervous I thought I should ask.

My only comment on your settings:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45762
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    ;               IN SOA                SOA 2015012610 14400 3600 1209600 3600                RRSIG   SOA 8 2 3600 20150226005819 20150126235819 849 <signature>

is that a 30 day signature is at the high end of the sensible range.

However, this is often reasonable for domains that don't have much
of value to protect.  For a domain with more at stake, and a
operations staff that ensures that all secondary servers are always
reasonably current, and signature updates always timely, one might
consider ~7-day signatures rather than 31-day signatures.

Bottom-line, you're fine, you even have working TLSA records: IN MX 10 IN TLSA 3 0 1 5bf12300255d1475ae43677b7062ab8964ca097ee6096cd005115b8c974e83ab

that match your SMTP server's certificate.  Just don't forget to
add a TLSA record that matches your next certificate a few TTLs
*before* you deploy it.

After the new cert chain live, you can drop the original TLSA RR,
leaving only the new one in place.


More information about the dane-users mailing list