On Thu, Aug 04, 2016 at 03:05:00PM -0700, Carl Byington wrote: > > OpenSSL version 1.1.0 pre release 6 (beta) > > Seems to work in my openssl/sendmail/dane test environment. Thanks for the confirmation. > http://www.five-ten-sg.com/mapper/blog/dane Note, I still firmly hold that the "o DANE=always" mode is largely a bad idea. It is only "useful" when an MX host has its address records in a signed zone, but its TLSA records are CNAMEd into an unsigned zone: ; example.com zone is signed example.com. IN MX 0 smtp.example.com. smtp.example.com. IN A 192.0.2.1 _25._tcp.smtp.example.com. IN CNAME _dane.example.net. ; example.net zone is not signed _dane.example.net. IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Such configurations will be rather rare, and offer minimal incremental MITM protection. The code and documentation to support this use-case and explain it to users are not worth the trouble. -- Viktor.
