self certified tls in dnssec out in the wild

mehBananas got bored one day and decided to make free ssl certificates (my blog) and stick some records like

_25._tcp.mailx.zoo. TLSA 2 1 1 monkeystringthatgoesonandon

into a domain which did not have them but is dnssec valid (my blog). I decided to not spend money since i like free since it is possible in dnssec and i had not done it that way but i have done 3 1 1 (my blog) elsewhere which is valided tls and that worked.

Instead of web hosting this was for email so i wanted to see if it passed or failed (my blog) A number of tests where passed although they did like the self certified one site which scored higher* than the one from the ssl mafia – all deemed my settings correct.

However it seems that despite the fact that you can , the ssl mafia would rather you paid to get dane secured email.

dane is not this

dane is not this

I will keep the settings for a year just because i want to see how it pans out, later on i created yet another zoo dane setup and discovered that ssl ‘trust’ is only worth 9% of one test. It helped that i had a good baseline for settings and known values that worked.

One domain is without self certified tls of which i have plans for at a later date although i am open to doing this again should be unsatisfied if the result is not worth it.

I had fun.

* assume a high key size

2 responses

  1. Pingback: letsencrypt in debian backports | Bananas in the Falklands

  2. Pingback: i still do not grok hpkp and overriding it like a pro | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.