DANE verification enabled on MS Exchange Online

Viktor Dukhovni ietf-dane at dukhovni.org
Wed May 25 15:14:08 CEST 2022


On Wed, May 25, 2022 at 08:29:07AM -0400, Viktor Dukhovni wrote:

> > On 25 May 2022, at 8:03 am, Bjørn Mork <bjorn at mork.no> wrote:
> > 
> > Is this recommending using non-DANE domains for such contact points?
> 
> Not specifically.  A skilled remote postmaster can figure out how to
> deliver email to a domain with DANE breakage, but indeed it may make
> sense to have a sub-domain with a non-DANE MX host for notices.  That
> lowers the bar to getting the notices delivered.

A sensible option would be to configure something along the lines of:

    $TTL 1h
    $ORIGIN example.com.
    @ IN SOA ns1.example.com. tech.postmaster.example.com. (
                    ...        ; serial
                    3600       ; refresh (1 hour)
                    1200       ; retry (20 minutes)
                    604800     ; expire (1 week)
                    1200       ; minimum (20 minutes)
                    )
    @ IN NS ns1
    @ IN MX 0 smtp.example.com.
    ns1 IN A 192.0.2.1
    ;
    smtp IN A 192.0.2.2
    _25._tcp.smtp IN TLSA 3 1 1 ...current key hash...
    _25._tcp.smtp IN TLSA 3 1 1 ...future key hash...
    ;
    postmaster IN MX 0 postmaster
    postmaster IN A 192.0.2.2 ; same as smtp sans TLSA RRs

and to arrange to accept and read email for <tech at postmaster.example.com>,
as well as publish the email address as the WHOIS technical contact.

-- 
	Viktor.



More information about the dane-users mailing list