self certified tls in dnssec out in the wild

mehBananas got bored one day and decided to make free ssl certificates (my blog) and stick some records like

_25._tcp.mailx.zoo. TLSA 2 1 1 monkeystringthatgoesonandon

into a domain which did not have them but is dnssec valid (my blog). I decided to not spend money since i like free since it is possible in dnssec and i had not done it that way but i have done 3 1 1 (my blog) elsewhere which is valided tls and that worked.

Instead of web hosting this was for email so i wanted to see if it passed or failed (my blog) A number of tests where passed although they did like the self certified one site which scored higher* than the one from the ssl mafia – all deemed my settings correct.

However it seems that despite the fact that you can , the ssl mafia would rather you paid to get dane secured email.

dane is not this

dane is not this

I will keep the settings for a year just because i want to see how it pans out, later on i created yet another zoo dane setup and discovered that ssl ‘trust’ is only worth 9% of one test. It helped that i had a good baseline for settings and known values that worked.

One domain is without self certified tls of which i have plans for at a later date although i am open to doing this again should be unsatisfied if the result is not worth it.

I had fun.

* assume a high key size

One response

  1. Pingback: letsencrypt in debian backports | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s