[dns-operations] TLSA records on MX

Dan York york at isoc.org
Tue Jun 11 00:40:57 UTC 2013


On 6/7/13 12:34 PM, "Phil Pennock" <dnsop+phil at spodhuis.org> wrote:

>As part of a push to get both Exim and Postfix supporting DANE with TLSA
>records, per current IETF drafts, I'm wondering if anyone here has
>deployed both DNSSEC signing for a zone and TLSA records within that
>zone for their MX hostnames?
>So far, I know of six domains, one mine.

I have three domains listed under the SMTP section on our list of DANE
Test Sites:


I don't know if those are already in your list of six domains.  I would be
glad to add others, such as yours, Phil, if you are okay having it
publicly listed.

>If folks can get back to me (off-list fine) and let me know of any they
>have, and if they'd be willing to let their MX server be occasionally
>probed during development for interop purposes, I'd appreciate it.  The
>former (TLSA) without the latter (probe-okay) is fine.

So to be clear, I can state that there are three domains that have
reported to us (Internet Society) that they have TLSA records set up for
their MX server.  I can't state whether they would be willing to let their
MX server be occasionally probed. (Although I suspect they would probably
be okay with what you describe.)

>My domain with such records is "spodhuis.org", and I'm happy for its
>mail-server to be similarly probed for interop purposes.

Shall I also add it to our list?

It is great that you are doing this DANE/DNSSEC work for Exim and Postfix.
 If I can help publicize your work (or your call for people to help)
please let me know.  I'm here to help in whatever way toward accelerating
the deployment of DNSSEC (and thereby DANE).


Dan York
Senior Content Strategist, Internet Society
york at isoc.org <mailto:york at isoc.org>   +1-802-735-1624
Jabber: york at jabber.isoc.org <mailto:york at jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork


More information about the dns-operations mailing list