From 5eca5695e751494afd63540ed76aa9ac022b839c Mon Sep 17 00:00:00 2001 From: Dennis Baaten Date: Mon, 20 May 2019 16:43:24 +0200 Subject: [PATCH] Updated DANE for SMTP how to (markdown) --- DANE-for-SMTP-how-to.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DANE-for-SMTP-how-to.md b/DANE-for-SMTP-how-to.md index 61015b7..aece966 100644 --- a/DANE-for-SMTP-how-to.md +++ b/DANE-for-SMTP-how-to.md @@ -32,7 +32,7 @@ This section describes several pionts for attention when implementing DANE for S * In case of roll-over scheme "current + issuer", the use of the root certificate is preferred because in some contexts ([PKIoverheid](https://en.wikipedia.org/wiki/PKIoverheid)) this makes it easier to switch supplier / certficate without impacting DANE. (Remember [DigiNotar](https://en.wikipedia.org/wiki/DigiNotar)). * Roll-over scheme "current + next" gives less flexibility but the highest form of certainty, because of "tight pinning". * Implement monitoring of your DANE records to be able to detect problems as soon as possible. -* Don't use a CNAME in your MX record. This will break DANE since CNAME in MX records are not allowed according to [RFC 2181 section 10.3](https://tools.ietf.org/html/rfc2181#section-10.3). +* Make sure your implementation supports the usage of a CNAME in your MX record. There are some inconsistencies between multiple RFC's. According to [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) a CNAME in MX records is not allowed, while [RFC 7671](https://tools.ietf.org/html/rfc7671#section-7) and [RFC 5321](https://tools.ietf.org/html/rfc5321#section-5.1) imply that the usage of a CNAME in MX records is allowed. # Outbound e-mail traffic (DNS records) This part of the how to describes the steps that should be taken with regard to your outbound e-mail traffic. This enables other parties to use DANE for validating the certificates offered by your e-mail servers.