The danefail list on Github

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Apr 14 23:38:30 CEST 2018


Now that I am able to contribute commits to the danefail list at:

	https://github.com/danefail/list
	https://raw.githubusercontent.com/danefail/list/master/dane_fail_list.dat

I've pushed data for many of the domains served by MX hosts with persistent issues.

You can use this list to confirm that you're not the only one with delivery issues to one of the listed domains, and perhaps create exceptions for such domains in your configuration.

Also, please try to not end up on the list:

   https://dane.sys4.de/common_mistakes
   http://imrryr.org/~viktor/ICANN61-viktor.pdf
   http://imrryr.org/~viktor/icann61-viktor.mp3

Do implement monitoring of your own TLSA records and DNSSEC
zone.  Do implement a key/cert rollover process that ensures
that matching TLSA records are in place for both the old and
the new cert have been in place for some time (multiple TTLs
and slave zone refresh times) before deploying new certificate
chains.

When using DANE-TA(2) TLSA records, make sure that the certificate
does not expire, has a name that matches the MX hostname and the
trust-anchor certificate is included in the server's chain file.

-- 
	Viktor.



More information about the dane-users mailing list