Wildcard certificate and DANE/TLSA records

[zorion]

On 12/31/18 2:21 PM, Viktor Dukhovni wrote:

>> On Dec 31, 2018, at 2:01 PM, zorion <zorion at autistici.org> wrote:
>>
>> Ok, I had a hard time finding out what exactly the *trust-anchor* was
>> supposed to be. I took a guess that it was the combined cert chain, but
>> obviously that is not it.
> A trust-anchor is any issuing CA you designate as trusted, and it does
> not have to be a root CA, it can also be any intermediate CA.

Thank you for the explanation!

>> What exactly is the trust-anchor? Is it the top level cert from the CA
>> in the chain (#4 in your danecheck below)?
> It is any of 2, 3 or 4.  The important constraint with DANE-TA(2), as
> explained in https://tools.ietf.org/html/rfc7671#section-5.2.2, is
> that if you do choose a root CA as your trust-anchor, unlike the
> case in non-DANE PKIX protocols, it MUST be sent to the client along
> with the intermediate issuer certificates.

Would that be the smtp_tls_CAfile option in postfix? I've got an
intermediate bundle that I provide to that option in main.cf


> To compute the digest of a CA certificate, create a PEM file containing
> just that certificate.  Or use my "chaingen" script (attached), which
> can process a complete chain of certificates, but DO NOT then publish
> all the TLSA records it outputs.  Publish no more than one TLSA record
> per certificate in the chain, typically just the "3 1 1" for the EE
> cert, and "2 1 1" for the TA certs.  And no need to match at every
> level.  At most two trust anchors (typically just one) are enough.

Thanks! Is there a benefit for also publishing the "2 1 1" TA certs if
I'm already publishing the "3 1 1" EE cert?


ps. accidentally only sent this directly to Viktor, sending it to the list.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20181231/21a94c25/attachment.html>