On Tue, Jul 11, 2023 at 01:35:39PM +0200, Paul Menzel wrote:
> Validating the SMTP DANE setup of, it results in success but the details
> show two untrusted certificates:
>
I should also also mention that you can now also look your domain's
status at:
https://stats.dnssec-tools.org/explore/?molgen.mpg.de
which shows a more detailed (and so I think more clear) analysis, be it
at the cost of not being real-time (a once a day snapshot). There
you'll see that there are no DANE TLSA issues with your domain, just
some deprecated DS and DNSKEY parameters.
It is time to move on from algorithm 7 to either 13 (preferred) or 8 (if
you must). Increasingly, some resolvers (particularly on RedHat
systems) no longer support DNSSEC algorithms that use RSA+SHA1
signatures, i.e. algorithms 5 and 7, and their use has already
declined 93% from peak values:
https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
and now we're just waiting for the long-tail hangers-on.
--
Viktor.
