I have an issue with setting up TLSA DNS record type.
I own 2 domains (nipponfest.sk and hangukon.sk) both of them are not registered in cloudflare registrar but registrar is set to redirect DNS queries to cloudflare Nameservers.
I do DNS management of records through Cloudflare.
I have setup a MX records for both domains together with SPF, DKIM and DMARC records.
These MX records both link to an A record IPv4 host address under nipponfest.sk domain
On this host i have basic setup of email server Debian 9 linux (postfix) where i would like to configure secure incomming and outgoing mail transfer using DANE.
- I have created a public private RSA 2048 bit key pair using openssl utility
- I made certificate signing request file using public key generated in previous step
- Then i created selfsigned custom root certificate authority X.509 certificate
- With this custom root CA certificate and the CSR file i made a X.509 host certificate
- I took the host certificate and fed it to this tool https://www.huque.com/bin/gen_tlsa
- I have set domain name, port to 25, protocol: tcp, usage field: 3, selector field: 1, matching field: 1, pasted the host certificate and let the tool generate output
- In the cloudflare DNS section web interface i have created for domain1 TLSA record and pasted there the SHA-256 digest from tool
- I have then waited several hours
The problem: Problem is when i now do a dig from command line for TLSA record type i get no output. Even the DANE SMTP validator https://dane.sys4.de shows no TLSA record. And im now lost as to what is the problem?
Im including screenshot of the DNS TLSA record:
Any help/suggestion is greatly appreciated!
Im kind of new to the field of system administration.
Edit: I have been checking the whole cloudflare community and found out that anoter user had basically the same problem: Support for TLSA / DANE proto