On 2/11/2015 12:25 PM, Viktor Dukhovni wrote:
On Wed, Feb 11, 2015 at 06:20:32PM +0100, Frank Fiene wrote:
That DNS setup looks better, thx.
For a shared key for multiple services that use distinct protocols:
_dane.mail.example.com. IN TLSA 3 1 1 <sha256 SPKI digest> _25._tcp.mail.example.com. IN CNAME _dane.mail.example.com. _110._tcp.mail.example.com. IN CNAME _dane.mail.example.com. _143._tcp.mail.example.com. IN CNAME _dane.mail.example.com. _587._tcp.mail.example.com. IN CNAME _dane.mail.example.com. _993._tcp.mail.example.com. IN CNAME _dane.mail.example.com.
Note, I am not aware of any IMAP, POP or SMTP submission client software that uses DANE, so the records for ports other than 25 are largely pointless at present.
Just curious, you put the actual TLSA record first and then the CNAMEs. Any particular reason for the order?