DANE verification enabled on MS Exchange Online
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed May 25 15:14:08 CEST 2022
On Wed, May 25, 2022 at 08:29:07AM -0400, Viktor Dukhovni wrote:
> > On 25 May 2022, at 8:03 am, Bjørn Mork <bjorn at mork.no> wrote:
> >
> > Is this recommending using non-DANE domains for such contact points?
>
> Not specifically. A skilled remote postmaster can figure out how to
> deliver email to a domain with DANE breakage, but indeed it may make
> sense to have a sub-domain with a non-DANE MX host for notices. That
> lowers the bar to getting the notices delivered.
A sensible option would be to configure something along the lines of:
$TTL 1h
$ORIGIN example.com.
@ IN SOA ns1.example.com. tech.postmaster.example.com. (
... ; serial
3600 ; refresh (1 hour)
1200 ; retry (20 minutes)
604800 ; expire (1 week)
1200 ; minimum (20 minutes)
)
@ IN NS ns1
@ IN MX 0 smtp.example.com.
ns1 IN A 192.0.2.1
;
smtp IN A 192.0.2.2
_25._tcp.smtp IN TLSA 3 1 1 ...current key hash...
_25._tcp.smtp IN TLSA 3 1 1 ...future key hash...
;
postmaster IN MX 0 postmaster
postmaster IN A 192.0.2.2 ; same as smtp sans TLSA RRs
and to arrange to accept and read email for <tech at postmaster.example.com>,
as well as publish the email address as the WHOIS technical contact.
--
Viktor.
More information about the dane-users
mailing list