On Tue, Jul 11, 2023 at 01:35:39PM +0200, Paul Menzel wrote:
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
I should also also mention that you can now also look your domain's status at:
https://stats.dnssec-tools.org/explore/?molgen.mpg.de
which shows a more detailed (and so I think more clear) analysis, be it at the cost of not being real-time (a once a day snapshot). There you'll see that there are no DANE TLSA issues with your domain, just some deprecated DS and DNSKEY parameters.
It is time to move on from algorithm 7 to either 13 (preferred) or 8 (if you must). Increasingly, some resolvers (particularly on RedHat systems) no longer support DNSSEC algorithms that use RSA+SHA1 signatures, i.e. algorithms 5 and 7, and their use has already declined 93% from peak values:
https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
and now we're just waiting for the long-tail hangers-on.