#16896: sign zone for haiku-os.org with DNSSEC
------------------------+-------------------------
Reporter: nephele | Owner: haiku-web
Type: bug | Status: new
Priority: normal | Milestone: Unscheduled
Component: Sys-Admin | Version:
Resolution: | Keywords:
Blocked By: | Blocking:
Platform: All |
------------------------+-------------------------
Comment (by nephele):
As far as Iam aware DKIM without DNSSEC doesn't work, since there is no
trusted way the public key can de gotten.
DANE is basically either a hash of the TLS certificate or a certificate
anchor in a TLSA record to verify against, this is for TLS certificate
verification. Many mail servers fo not even have a ca root certs bundle as
a potential alternative, so either do DANE or no validation.
my mail server ( packageloss.eu ) has DANE setup, you can use e.g
https://internet.nl as a "gui" way to check what standards servers
support, though it is somewhat picky. (e.g asking for SPF while it is
pretty useless if one already has crytographic integrity etc.)
(internet.nl also still fails to validate the existance of our DKIM
Record) \\
For a proper test you can use drill from nlnet, but we dont have it ported
as far as i know.
iirc for DANE: drill TLSA _smtp._25.packageloss.eu or maybe port and
protocol is the other way atound, can't tes currently. TLSA is the record
type for DANE.
--
Ticket URL: <https://dev.haiku-os.org/ticket/16896#comment:2>
Haiku <https://dev.haiku-os.org>
The Haiku operating system.