[nsd-users] 2 TLSA RRs for same port ?

shmick at riseup.net shmick at riseup.net
Tue Oct 7 06:03:15 UTC 2014


ive been using TLSA RRs for a while for a number of services

recently ive added an additional cert to postfix to now support both RSA
and ECDSA ciphers for incoming comms

according to dns specs is it legal to have 2 sets of TLSA RRs per
service/port ?

how does that affect CNAMES ?

in the case of postfix, if an MTA chooses an RSA cipher will it look for
the right TLSA RR automatically ?
how ?

is it critically important to have 3 0 1 or 3 1 1 for particular services ?

i believe for smtp and https 3 1 1 is recommended

id like to do this for xmpp too or other services as required

advice very much appreciated

More information about the nsd-users mailing list