[dns-operations] TLSA records on MX
Zuleger, Holger, Vodafone DE
holger.zuleger at vodafone.com
Mon Jun 10 14:56:40 UTC 2013
Hi,
> | My domain with such records is "spodhuis.org", and I'm happy for its
> | mail-server to be similarly probed for interop purposes.
>
> I added the _25._tcp TLSA record, feel free to use my domain
> (dougbarton.us) for such testing. My MX server is postfix 2.10.
as far as I understand draft-ietf-dane-srv (see Chapter 6), the TLS certificate
of the server authenticates the SRV query domain (which is dougbarton.us)
and the server SHOULD also have a certificate that authenticates the target
domain (which is in your case dougbarton.us as well), but the certificate
you are providing authenticates the domain www.dougbarton.us, right?
The Certificate provided by spodhuis.org authenticates the target mx.spodhuis.org,
but not the query domain (which is spodhuis.org).
Do I maybe missinterpret the draft?
Here is the relevant text:
<cite draft-ietf-dane-srv-02>
6. Guidance for server operators
In order to support this specification, server software MUST
implement the TLS Server Name Indication extension (TLS SNI)
[RFC6066] for selecting the appropriate certificate.
A server that supports TLS and is the target of a SRV record MUST
have a TLS certificate that authenticates the SRV query domain (i.e.
the service domain, or "source domain" in [RFC6125] terms). This is
necessary for clients that cannot perform DNSSEC validation. This
certificate MUST be the default that is presented if the client does
not use TLS SNI.
In order to support this specification, the server SHOULD also have a
certificate that authenticates the SRV target domain (the mail server
hostname). This can be done using a multi-name certificate or by
using the client's TLS SNI to select the appropriate certificate.
The server's TLSA record SHOULD correspond to this certificate.
</cite>
Regards
Holger
More information about the dns-operations
mailing list