Set up TLSA for DANE

Check DANE for a domain:
https://www.huque.com/bin/danecheck (port 443)
https://www.huque.com/bin/danecheck-smtp (SMTP port 25)
https://internet.nl (port 443 / SMTP port 25)
https://dane.sys4.de (SMTP port 25)
https://check.sidnlabs.nl/dane (port 443)

DirectAdmin is DANE ready since 8th June 2017:
Configure DANE for mailserver in directadmin.conf with dns_tlsa=1.
And in case of Let’s Encrypt: letsencrypt_renewal_days=60
DirectAdmin seems to renew in the Let’s Encrypt plugin in a stable way for TLSA 3 1 1.

Plesk’s DNS as nameserver is not ready for TLSA records:
But Mail Transfer Agent Postfix does work for DANE.
Plesk may not be stable yet for TLSA 3 1 1, renewing Let’s Encrypt automatically.

DirectAdmin for change of DANE to a new certificate:
# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -outform DER | openssl sha256
Note: Your certificate can have a different path and/or file name.
Or in a simple professional way: https://www.huque.com/bin/gen_tlsa

Setup of TLSA:
My interpretation now and then needs reading RFC’s about DANE.
A SSL certificate is about three parts: private key, certifcate key and certification authority (ca) key(s).

A TLSA record contains four values:
. key to determine a string: ca key(s) 2 versus certificate key 3
. private key after renewal of a certificate key:  changing 0 versus identical 1
. string length: 1: 256 (versus 2: 512)
. string

Let’s Encrypt (each three months or 60 days) with 2 1 1 supposes that the ca key(s) won’t change.
Let’s Encrypt (each three months or 60 days) with 3 1 1 requires that an unchanged private key is under control; this frequent ‘rekeying’ is an unsolved problem.
E.g. Comodo (yearly) with 3 1 1 simplifies rollover, requires that an unchanged private key is under control.
E.g. Comodo (yearly) with 3 0 1 requires timely maintenance (two records during rollover).

With Let’s Encrypt:
_25._tcp
_25._tcp.mail
_443._tcp
_443._tcp.www
TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18

Notes:
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
– https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
– Plesk stores certificate data in a central location. DirectAdmin in folders inside and outside its menu;
– DANE is still limited to traffic between mail servers on port 25;
– For an email client DANE is in design phase (RFC7671/RFC7673/RFC6698);
– Any obstacle implementing DANE, needs to be addressed.

Terminology:
MTA: Mail Transfer Agent
MUA: Mail User Agent
MDA: Message Delivery Agent