-
From Viktor:
"Note that the soon up for IESG review draft-ietf-dane-ops
considerably revises the DANE verification logic for TLSA certificate
usage DANE-EE(3). Section 6 should refer to draft-ietf-d…
-
It would be nice if it could be used with the cloudflare api for DNS-records, when you also use DNS to verify for LetsEncrypt using certbot, why not?
There's also https://github.com/ekollof/gentlsa f…
jult updated
8 months ago
-
**Description**
Running on open-source software and supported by SSE, [deSEC](https://desec.io/) is free for everyone to use.
**Example**
DNSSEC
DNS information hosted with deSEC is signed u…
-
### systemd version the issue has been seen with
251.2-2ubuntu1
### Used distribution
Ubuntu 22.10 (Kinetic Kudu)
### Linux kernel version used
5.15.0-40-generic
### CPU architecture…
-
From Viktor:
" I'm not sure what purpose the last paragraph of section 3 is
intended to serve:
Obviously, an authentication chain will be most compact and easiest
to verify if each RRset has …
-
Looks like it stems from `ldns-signzone` breaking when trying to parse CAA records. The solution right now is to correct the records in `/etc/nsd/zones/` and run `ldns-signzone` manually, then deleti…
-
At first sight, this new integrated mail server seems like a great idea - especially to someone who wants to self-host but finds the usual solution of Postfix/Devecot/SpamAssasin/Roundcube to be very …
-
From Viktor:
"Great care must be taken (with Certificate usages other than
DANE-EE(3)) to ensure that the TLSA record matches a certificate
that is actually part of the server's chain and not just so…
-
Transport security in SMTP world is merely Opportunistic, there is no practice like in the Web to always require encryption with matching DNS-ID and trusted certificate. Additionally, things get compl…
-
From Shumon: We might want to be clearer about whether the serialization chain ends in the TLS server's domain name or in a TLSA record corresponding to the server's TLS certificate. For DANE authenti…