Bananas got bored one day and decided to make free ssl certificates (my blog) and stick some records like
_25._tcp.mailx.zoo. TLSA 2 1 1 monkeystringthatgoesonandon
into a domain which did not have them but is dnssec valid (my blog). I decided to not spend money since i like free since it is possible in dnssec and i had not done it that way but i have done 3 1 1 (my blog) elsewhere which is valided tls and that worked.
Instead of web hosting this was for email so i wanted to see if it passed or failed (my blog) A number of tests where passed although they did like the self certified one site which scored higher* than the one from the ssl mafia – all deemed my settings correct.
However it seems that despite the fact that you can , the ssl mafia would rather you paid to get dane secured email.
I will keep the settings for a year just because i want to see how it pans out, later on i created yet another zoo dane setup and discovered that ssl ‘trust’ is only worth 9% of one test. It helped that i had a good baseline for settings and known values that worked.
One domain is without self certified tls of which i have plans for at a later date although i am open to doing this again should be unsatisfied if the result is not worth it.
I had fun.
* assume a high key size