[dns-operations] TLSA records on MX

Doug Barton dougb at dougbarton.us
Mon Jun 10 19:54:39 UTC 2013

On 06/10/2013 07:56 AM, Zuleger, Holger, Vodafone DE wrote:
> Hi,
>> | My domain with such records is "spodhuis.org", and I'm happy for its
>> | mail-server to be similarly probed for interop purposes.
>> I added the _25._tcp TLSA record, feel free to use my domain
>> (dougbarton.us) for such testing. My MX server is postfix 2.10.
> as far as I understand draft-ietf-dane-srv (see Chapter 6), the TLS certificate
> of the server authenticates the SRV query domain (which is dougbarton.us)
> and the server SHOULD also have a certificate that authenticates the target
> domain (which is in your case dougbarton.us as well), but the certificate
> you are providing authenticates the domain www.dougbarton.us, right?

That's the CN, yes. It also has dougbarton.us as an alt name, which 
hasn't been a problem for any other software so far.



More information about the dns-operations mailing list