nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DANE of SMTP Survey

From: "babydr DBA James W. Laferriere" <babydr () baby-dragons com>
Date: Thu, 3 Jun 2021 13:41:29 -0800 (AKDT)
        Hello Mr. Tinka & Mr. Andrews ,  Please see below .

On Thu, 3 Jun 2021, Mark Tinka wrote:

On 6/3/21 00:25, babydr DBA James W. Laferriere wrote:


        The Below is to keep thread of thought accurate ...

On Wed, 2 Jun 2021, Mark Tinka wrote:

* Step 2 - take your time cluing up on getting your zone signed, and
 being part of the solution toward a more secure Internet. No
 pressure, at your pace.




    Again ,  Will this handle the case of self-signed only ?
Not sure I understand your question, in both cases of recursion and authoritative.
The Signing of the 'Zone' , Can the 'Zone' be signed by a self-signed key ? Or MUST I (and others) rely on a external certificate authority ? 

        Mind you I notice in rfc6487 (note(s)) about self-signed certificates .
So Maybe I am being a bit over worried about having to spend more money just to keep my 2 ip-ranges routing in light of the RPKI initative(s) . 

        Which Mr. Andrews response below answers quite succinctly ,

On Thu, 3 Jun 2021, Mark Andrews wrote:
DANE works with self generated CERTs. The TLSA record provides the cryptographic link back to the DNSSEC root. 

        Thank You Mr. Andrews ,  Muchly . Is what I was hoping for .

                Thank You Both .  JimL
--
+---------------------------------------------------------------------+
| James   W.   Laferriere    | System    Techniques | Give me VMS     |
| Network & System Engineer  | 3237     Holden Road |  Give me Linux  |
| jiml () system-techniques com | Fairbanks, AK. 99709 |   only  on  AXP |
+---------------------------------------------------------------------+
Previous By Date Next
Previous By Thread Next

Current thread: