Set up TLSA for DANE

Check DANE for a domain:
https://www.huque.com/bin/danecheck (port 443)
https://www.huque.com/bin/danecheck-smtp (SMTP port 25)
https://internet.nl (HTTP port 443 / SMTP port 25)
https://dane.sys4.de (SMTP port 25)
https://check.sidnlabs.nl/dane (port 443)

DirectAdmin is DANE ready since 8th June 2017:
Configure DANE for mailserver in directadmin.conf with dns_tlsa=1.
And in case of Let’s Encrypt: letsencrypt_renewal_days=60
Due to my experience, DirectAdmin does not renew in the Let’s Encrypt plugin in a stable way for TLSA 3 1 1.

Plesk’s DNS for name server values is not ready for TLSA records:
Fortunately, Mail Transfer Agent Postfix works for DANE.

DirectAdmin for change of DANE to a new certificate:
# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -outform DER | openssl sha256
Note: Your certificate can have a different path and / or file name.
Or in a simple professional way: https://www.huque.com/bin/gen_tlsa

Setup of TLSA:
My interpretation now and then needs reading RFC’s about DANE. A SSL certificate is about three parts: private key, certifcate key and certification authority (ca) key(s).

A TLSA record contains four values:
. key to interprete a string; certificate authority key(s): 2 versus certificate key: 3
. private key after renewal of a certificate key; changing: 0 versus identical: 1
. string length; 1: 256 (versus 2: 512)
. string value

Using two TSLA records:
. A valid 301/311 combined with an old / new unvalid 301/311, scores at https://en.internet.nl/;
. A valid 311 and a valid 312 (certificate version with 512 bits encryption), do also score ‘both’ valid.

Let’s Encrypt
. every 60 days with 2 1 1 having ca key(s) with 5-year lifetime;
. every 60 days with 3 1 1 requires that an unchanged private key is under control;
(this frequent ‘rekeying’ is an unsolved problem)
Or eg Comodo (annually) with 3 0 1 requires timely maintenance (two records during rollover);
Or eg Comodo (annually) with 3 1 1 simplifies rollover, requires that an unchanged private key is under control.

With Let’s Encrypt:
_25._tcp
_25._tcp.mail
_443._tcp
_443._tcp.www

E5: TLSA 2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8

Notes:
– https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
– https://toolbox.internet.nl -> https://github.com/internetstandards/toolbox-wiki/
– https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
– Plesk stores certificate data in a central location. DirectAdmin in folders inside and outside its menu;
– DANE is still limited to port 25 for traffic between mail servers;
– For an email client DANE is in design phase (RFC7671/RFC7673/RFC6698);
– Any obstacle implementing DANE, needs to be addressed.

Terminology:
MTA: Mail Transfer Agent
MUA: Mail User Agent
MDA: Message Delivery Agent