TLSA Validation Failed
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jul 28 16:52:08 CEST 2015
On Tue, Jul 28, 2015 at 03:34:23PM +0200, Bj?rn Mork wrote:
> Mark Elkins <mje at posix.co.za> writes:
>
> > For email - you need a TLSA 311 Certificate.
>
> Care to explain why? I am sure I'm missing something here, but this
> isn't obvious to me.
>
> And does "email" mean SMTP or POP/IMAP or all of them?
Sorry, just MTA-to-MTA SMTP:
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-1.3
> Until now I've just used the same private self-signed CA certificate for
> all services, and just created aliases to a common TLSA 2 0 1 record.
That's also fine, if the CA in question is the issuer of the
individual server certificates. The constraint for MTA-to-MTA SMTP
is that you SHOULD NOT publish TLSA records with certificate usages
PKIX-TA(0) or PKIX-EE(1). A "3 X Y" is the right alternative for
"1 X Y" and "2 N M" is the right alternative for "0 N M".
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-3.1.1
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-3.1.2
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-3.1.3
https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-5.1
https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-5.2
https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-5.3
https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-5.4
> This appeared to work fine, but then again: I don't know how I would
> detect a failure... There aren't that many validating email clients out
> there.
>
> How do you test and validate TLSA records for SMTP, POP and IMAP?
Just for SMTP MTAs (port 25):
https://dane.sys4.de/
--
Viktor.
More information about the dane-users
mailing list