mirror of
https://github.com/internetstandards/toolbox-wiki.git
synced 2024-12-22 17:45:06 +01:00
Updated DANE for SMTP how to (markdown)
This commit is contained in:
parent
dc69833a4d
commit
5eca5695e7
@ -32,7 +32,7 @@ This section describes several pionts for attention when implementing DANE for S
|
||||
* In case of roll-over scheme "current + issuer", the use of the root certificate is preferred because in some contexts ([PKIoverheid](https://en.wikipedia.org/wiki/PKIoverheid)) this makes it easier to switch supplier / certficate without impacting DANE. (Remember [DigiNotar](https://en.wikipedia.org/wiki/DigiNotar)).
|
||||
* Roll-over scheme "current + next" gives less flexibility but the highest form of certainty, because of "tight pinning".
|
||||
* Implement monitoring of your DANE records to be able to detect problems as soon as possible.
|
||||
* Don't use a CNAME in your MX record. This will break DANE since CNAME in MX records are not allowed according to [RFC 2181 section 10.3](https://tools.ietf.org/html/rfc2181#section-10.3).
|
||||
* Make sure your implementation supports the usage of a CNAME in your MX record. There are some inconsistencies between multiple RFC's. According to [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) a CNAME in MX records is not allowed, while [RFC 7671](https://tools.ietf.org/html/rfc7671#section-7) and [RFC 5321](https://tools.ietf.org/html/rfc5321#section-5.1) imply that the usage of a CNAME in MX records is allowed.
|
||||
|
||||
# Outbound e-mail traffic (DNS records)
|
||||
This part of the how to describes the steps that should be taken with regard to your outbound e-mail traffic. This enables other parties to use DANE for validating the certificates offered by your e-mail servers.
|
||||
|
Loading…
Reference in New Issue
Block a user