Hi Börn, Am Freitag, dem 14.06.2024 um 00:00 +0200 schrieb Björn Jacke via dane- users:
On 13.06.24 23:16, Erwin Hoffmann wrote:
could somebody pls check
ns1.samba.org? (from list.samba.org)
I get strange results here.
smtp.samba.org
is just fine.
see https://en.wikipedia.org/wiki/Nolisting
If you use "nolisting" and use DANE, you should make sure to have syntactically correct TLSA records for the nolisting MX hosts, which ideally don't match any other existing cert. This is what ns1.samba.org has:
# host -t TLSA _25._tcp.ns1.samba.org _25._tcp.ns1.samba.org has TLSA record 3 0 1 00000000000000000000000000000000000000000000000000000000 00000000
could you point me to a RFC, where this is specified? I don't think that neither 'nolisting' nor publishing a 'nullified' TLSA recored is a good idea. And yes, I get: dnstlsa -v ns1.samba.org dnstlsa: info: checking for TLSA records: _25._tcp.ns1.samba.org Usage: [3], Selector: [0], Type: [1] 0000000000000000000000000000000000000000000000000000000000000000 Regards. --eh.
Björn
-- Dr. Erwin Hoffmann | www.fehcom.de PGP key-id: 20FD6E671A94DC1E PGP key-fingerprint: 8C6B 155B 0FDA 64F1 BCCE A6B9 20FD 6E67 1A94 DC1E