Postfix DANE support for Certificate Usage = 0/1?

Michael Ströder michael at
Sun Mar 1 20:37:04 CET 2015

Viktor Dukhovni wrote:
> The two models coexist seamlessly, and many existing DANE SMTP
> sites use certificates from a public CA.

But you switch off X.509 validation if DANE is used.

I'd like to see DNSSEC/DANE/TLSA as an *additional* mechanism but still
requiring X.509 validation to be fully performed. With this multiple trust
anchors would be effective which is IMO the real solution.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4252 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the dane-users mailing list