On Wed, May 25, 2022 at 08:29:07AM -0400, Viktor Dukhovni wrote:
On 25 May 2022, at 8:03 am, Bjørn Mork bjorn@mork.no wrote:
Is this recommending using non-DANE domains for such contact points?
Not specifically. A skilled remote postmaster can figure out how to deliver email to a domain with DANE breakage, but indeed it may make sense to have a sub-domain with a non-DANE MX host for notices. That lowers the bar to getting the notices delivered.
A sensible option would be to configure something along the lines of:
$TTL 1h $ORIGIN example.com. @ IN SOA ns1.example.com. tech.postmaster.example.com. ( ... ; serial 3600 ; refresh (1 hour) 1200 ; retry (20 minutes) 604800 ; expire (1 week) 1200 ; minimum (20 minutes) ) @ IN NS ns1 @ IN MX 0 smtp.example.com. ns1 IN A 192.0.2.1 ; smtp IN A 192.0.2.2 _25._tcp.smtp IN TLSA 3 1 1 ...current key hash... _25._tcp.smtp IN TLSA 3 1 1 ...future key hash... ; postmaster IN MX 0 postmaster postmaster IN A 192.0.2.2 ; same as smtp sans TLSA RRs
and to arrange to accept and read email for tech@postmaster.example.com, as well as publish the email address as the WHOIS technical contact.