Hi Börn,
Am Freitag, dem 14.06.2024 um 00:00 +0200 schrieb Björn Jacke via dane- users:
On 13.06.24 23:16, Erwin Hoffmann wrote:
could somebody pls check
ns1.samba.org? (from list.samba.org)
I get strange results here.
smtp.samba.org
is just fine.
see https://en.wikipedia.org/wiki/Nolisting
If you use "nolisting" and use DANE, you should make sure to have syntactically correct TLSA records for the nolisting MX hosts, which ideally don't match any other existing cert. This is what ns1.samba.org has:
# host -t TLSA _25._tcp.ns1.samba.org _25._tcp.ns1.samba.org has TLSA record 3 0 1 00000000000000000000000000000000000000000000000000000000 00000000
could you point me to a RFC, where this is specified?
I don't think that neither 'nolisting' nor publishing a 'nullified' TLSA recored is a good idea.
And yes, I get:
dnstlsa -v ns1.samba.org dnstlsa: info: checking for TLSA records: _25._tcp.ns1.samba.org
Usage: [3], Selector: [0], Type: [1] 0000000000000000000000000000000000000000000000000000000000000000
Regards. --eh.
Björn