Viktor Dukhovni skrev den 2015-04-09 02:04:
named.conf: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
I don't recommend ISC DLV lookaside. This is obsolete.
changed to no, thanks for reminder, i knowed this but just forgot it was depricated
main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane
These are Postfix SMTP client settings.
yes but it helps when testing server imho, or is there a better way ?
from then on just use posttls-finger without any options
posttls-finger dane.sys4.de
Which are not tested by posttls-finger, it tests the DANE configuration of remote domains, not the client settings of the local MTA which it mostly does not use. (It does rely on the same working resolver).
not good ?, eg is testing own domains this way insecure in testing it self ?, local or remote is no diff there ?
posttls-finger localhost posttls-finger localhost.example.org
i tryed create a tlsa with
printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' $(uname -n) $(openssl x509 -in cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')
but it failed for me after openssl upgrade to 1.0.1l