Best practice TLSA RRs for CA-issued certs

Michael Grimm trashcan at ellael.org
Thu Dec 29 20:31:24 CET 2016 

On 14 Apr 2016, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:

I know, that's an old mail :-) But I have saved it for the time I will be ready to deploy LE certificates. That time has come.

> One approach to making sure that DANE TLSA records are less likely
> to fail that should work well for sites using CA-issued certificates
> is to publish both "3 1 1" and "2 1 1" TLSA records:
> 
>    mx.example. IN TLSA 3 1 1 <digest of server public key>
>    mx.example. IN TLSA 2 1 1 <digest of immediate issuer public key>
[…]
> In particular, this is the best practice with Let's Encrypt
> issued SMTP server certificates, as explained in:
> 
>    https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/

First of all I do have to admit that I am lacking knowledge when it comes to certificates, in general. Sofar, I got along with selfsigned certificates that I did generate with the help of all those numerous howtos one can find. It worked.

If I do remember correctly, and if I do understand your conclusions in other mails correctly, long lasting selfsigned certificates plus periodically rotated TLSAs are still a good basis to run a secured mailserver at port 25. (FYI: I am using opendnssec for rotating every 3 month.)

After having read this best practice document, I am still hesitant to deploy a LE certificate to my mailserver's domain, because I do not understand all the implications, yet.

Thus I would like to raise some newbie questions regarding the following project:

	domain:		example.org
	mailserver:	mx.example.org with TLSA 3 1 1
	IMAP server:	mail.example.org
	webserver:	www.example.org

#) Would it be possible to get *two* distinct LE certificates, one for the IMAP and one for the webserver ..
#) .. and simultaneously *keep* my selfsigned certificate for the the mailserver ..
#) .. and forget about the issues mentioned above?

#) Or should I strictly separate my mailserver from the rest by means of distinct domains, instead?


Excuses in advance if this are silly questions, but as I mentioned above, I am lacking skills w.r.t. certificates.

Thanks un advance and regards,
Michael

More information about the dane-users mailing list