2020-09-22
TLSA records for DANE can't have it all
Yesterday I read about changes at LetsEncrypt that influence LetsEncrypt intermediate certificates and DANE and had a look at my own DANE record set up in december 2019. I decided to change the 'usage' value to 1, meaning 'EE match validated by public CA' because it's linked to a known public CA, and the old value 3 meaning 'private EE' wasn't completely true because it's linked to a known public CA. But I received a notification this morning, with:Only certificate usages DANE-TA(2) and DANE-EE(3) are supported with SMTP.With references to rfc 7672 section 3.1.1 and further which makes a valid point about CA validation in SMTP sessions. So the validation chain is purely based on DNSSEC.