Set up TLSA for DANE

Check DANE for a domain:
https://www.huque.com/bin/danecheck (port 443)
https://www.huque.com/bin/danecheck-smtp (SMTP port 25)
https://internet.nl (HTTP port 443 / SMTP port 25)
https://dane.sys4.de (SMTP port 25)
https://check.sidnlabs.nl/dane (port 443)

DirectAdmin is DANE ready since 8th June 2017:
Configure DANE for mailserver in directadmin.conf with dns_tlsa=1.
And in case of Let’s Encrypt: letsencrypt_renewal_days=60
Due to my experience, DirectAdmin does not renew in the Let’s Encrypt plugin in a stable way for TLSA 3 1 1.

Plesk’s DNS for name server values is not ready for TLSA records:
Fortunately, Mail Transfer Agent Postfix works for DANE.

DirectAdmin for change of DANE to a new certificate:
# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -outform DER | openssl sha256
Note: Your certificate can have a different path and / or file name.
Or in a simple professional way: https://www.huque.com/bin/gen_tlsa

Setup of TLSA:
My interpretation now and then needs reading RFC’s about DANE. A SSL certificate is about three parts: private key, certifcate key and certification authority (ca) key(s).

A TLSA record contains four values:
. key to interprete a string; certificate authority key(s): 2 versus certificate key: 3
. private key after renewal of a certificate key; changing: 0 versus identical: 1
. string length; 1: 256 (versus 2: 512)
. string value

Using two TSLA records:
. A valid 301/311 combined with an old / new unvalid 301/311, scores at https://en.internet.nl/;
. A valid 311 and a valid 312 (certificate version with 512 bits encryption), do also score ‘both’ valid.

Let’s Encrypt
. every 60 days with 2 1 1 having ca key(s) with 5-year lifetime;
. every 60 days with 3 1 1 requires that an unchanged private key is under control;
(this frequent ‘rekeying’ is an unsolved problem)
Or eg Comodo (yearly) with 3 0 1 requires timely maintenance (two records during rollover);
Or eg Comodo (yearly) with 3 1 1 simplifies rollover, requires that an unchanged private key is under control.

With Let’s Encrypt:
_25._tcp
_25._tcp.mail
_443._tcp
_443._tcp.www

old X3: TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
new R3: TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
new E1: TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10

Explanation of two additional records for rollover: The new E1 value has not yet been proven. Let’s Encrypt intermediate CA certificate ‘X3’, is replaced with ‘R3’ and ‘E1’ which have new keys, and so all DANE TLSA ‘2 1 1’ records matching ‘X3’ will not match ‘R3’or ‘E1’. The implementation from Thursday 3 September 2020 is planned before the end of 2020.

Hint: You can have three values first and later on one or two values.

Notes:
– https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
– https://toolbox.internet.nl -> https://github.com/internetstandards/toolbox-wiki/
– https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
– Plesk stores certificate data in a central location. DirectAdmin in folders inside and outside its menu;
– DANE is still limited to port 25 for traffic between mail servers;
– For an email client DANE is in design phase (RFC7671/RFC7673/RFC6698);
– Any obstacle implementing DANE, needs to be addressed.

Terminology:
MTA: Mail Transfer Agent
MUA: Mail User Agent
MDA: Message Delivery Agent