Hello everybody, I recently implemented DNSSEC on my personal domain (yay!) and so now of course I'm exploring this newfangled DANE business and trying to understand what would be involved with implementing DANE for my mail server.
From my exploration, there seem to be two main options that people use:
Use a "3" type record, with the leaf certificate public key being in the TLSA record. And when one's leaf key changes (either with every renewal, or perhaps less often if one keeps the same key around for a few certificate renewal cycles), ensuring that the new key is published in DNS for some length of time (at least a couple record TTLs worth) before actually having the mail server use it.
Use a "2" type record, with the CA intermediate public key (or full cert) being in the TLSA record. And then one needs to keep an eye on, like, the API Announcements section of this forum to stay appraised of when those are likely to change and ensure that updates get published, or perhaps ideally automate it in some fashion similar to the "3" type record based on what intermediate signed each certificate.
But, I haven't seen any discussion about what I think is a third way, which seems the "easy" one to me, at least when first starting out with a DANE implementation:
- Use a "2" type record, with the CA root certificate being in the TLSA record. This would require the mail server to be configured to send the self-signed root to be sent as part of the chain it sends, as I understand it, but setting that up (by appending it to the chain file I already get from my ACME client in a post-hook type setup for the file that my mail server uses) seems like a one-and-done thing, that only needs a DNS update when the Root changes (which is not very often).
In particular, for Let's Encrypt, my mail server currently gets two certificates, an ECDSA one signed by the EC chain (E1/E2 intermediates), as well the "classic" RSA one signed by the RSA chain (R3/R4 intermediates). In practice, while I suspect that any mail server trying to connect that has DANE support would likely support ECDSA, in order to do this most correctly, as I understand it, with option 1 I'd need to include both certificates each time in the DNS records, and with option 2 I'd need to include all the intermediates, but with my option 3 I'd just need to include the one ISRG Root CA X1 record.
So, all I'd need to do is add appending the root to my existing script (since Postfix prefers the key and chain in one file anyway, I'd just be adding another file to the cat command in my existing post-hook script), and then add one DNS record, and then not need to worry about updating anything until ISRG Root X1 is getting replaced.
So, is there something I'm missing? Does adding the self-signed root to the chain cause confusion for non-DANE-checking SMTP servers, or anything like that? I mean, I could certainly go the route of publishing each key and building more automation into updating my TLSA records and such, and I might end up doing that just for fun at some point anyway, but in terms of just "getting started" it seems like just publishing the root would be the easiest way to go? But I haven't seen any reference to doing things that way in my research, so I'm assuming I'm probably missing something.
Thanks for your thoughts!