Hi, > Are you aware that despite of how long is cert valid, once > it will expire and you will need its rollower?
Yes I'm aware of that and it's what I'm doing anyway when the used certificate is near to its expiration date. But when using only 3 1 1 dane records I can only publish the new certificate as soon as it is signed. And going to delete the old record a few days later. Taking https://en.internet.nl/mail/ recommendation this would than never "meet the" the recommendation except for the few days where two TLSA records exists (usually a few days overlapping). We recommend you to apply one of the following two schemes with double DANE TLSA records: Current + Next ("3 1 1" + "3 1 1"): Publish two "DANE-EE(3) SPKI(1) SHA2-256(1)" records, one for the current and one for the next TLS certificate of your mail server. Current + Issuer CA ("3 1 1" + "2 1 1"): Publish a "DANE-EE(3) SPKI(1) SHA2-256(1)" record for the current TLS certificate of your mail server, and also a "DANE-TA(2) SPKI(1) SHA2-256(1)" record for the current root or intermediate certificate of the (not necessarily public) certificate authority. > IMO, awoid to use 2 x x if issuing CA is not under your > control, as that cert can change without your notice. It can change (so I would have to check at least each time getting a new certificate for the MTA), but not as long as the actual certificate is valid (at least to my understanding). Using self signed certificates would make it impossible to use DANE and MTA-STS at the same host I guess, right? Btw. is 2 1 1 or 2 0 1 to prefer if it would be used? Regards Norbert
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
