TLSA Validation Failed

Viktor Dukhovni ietf-dane at
Tue Jul 28 16:52:08 CEST 2015

On Tue, Jul 28, 2015 at 03:34:23PM +0200, Bj?rn Mork wrote:

> Mark Elkins <mje at> writes:
> > For email - you need a TLSA 311 Certificate.
> Care to explain why?  I am sure I'm missing something here, but this
> isn't obvious to me.
> And does "email" mean SMTP or POP/IMAP or all of them?

Sorry, just MTA-to-MTA SMTP:

> Until now I've just used the same private self-signed CA certificate for
> all services, and just created aliases to a common TLSA 2 0 1 record.

That's also fine, if the CA in question is the issuer of the
individual server certificates.  The constraint for MTA-to-MTA SMTP
is that you SHOULD NOT publish TLSA records with certificate usages
PKIX-TA(0) or PKIX-EE(1).  A "3 X Y" is the right alternative for
"1 X Y" and "2 N M" is the right alternative for "0 N M".

> This appeared to work fine, but then again: I don't know how I would
> detect a failure...  There aren't that many validating email clients out
> there.
> How do you test and validate TLSA records for SMTP, POP and IMAP?

Just for SMTP MTAs (port 25):


More information about the dane-users mailing list