DNSSEC mismatch

I noticed some mail was bouncing because postfix was using a self-signed certificate.

After replacing the certificate DANE/DNSSEC is no longer matching. (I checked with this useful tool: https://ssl-tools.net/mailservers)

whats_next.py assumes the DS record is fine however and doesn’t show the needed record information to fix the issue. How do I view the info needed to fix the DS record?

It’s actually the TLSA record (the code that generates it).

Running tools/dns_update should do the trick, plus some time for DNS propagation.

Would you mind filing an issue on github to have whats_next check that the TLSA record matches the certificate?

Oh I see, you’re right.

I’ll add an issue on github.

Thanks for the quick response!