Fix typos, make screenshot a progressive JPEG.

content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md

@@ -6,7 +6,7 @@ description: >
   on my server that uses SSL certificates from Let's Encrypt.
 date: 2024-10-03T09:26:58Z
 draft: false
-# ShowLastmod: true
+ShowLastmod: true
 toc: true
 scrolltotop: true
 tags:
@@ -14,9 +14,9 @@ tags:
   - certificate
 ---
 
-I have been operating my own mail server for some 10+ years. Recently, some
+I have been operating my own mail server for some 10 years. Recently, some
 e-mails that others attempted to send to me any my family would not longer be
-delivered. This is a very unfortunate situation, because most people will not
+delivered. This is a very unfortunate situation, because most senders will not
 make a second attempt (e.g., with a different recipient address), leave alone
 provide you with an error message. However, luckily, this morning (Reunification
 Day in Germany!), I received this screenshot:
@@ -36,7 +36,7 @@ trial and error, I found the following resource most useful:
 
 <https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html>
 
-Key points:
+Key points from this and other pages to remember:
 
 - When using TLSA RR in the form `2 1 1 ...`, i.e., declaring that the payload
   (`...`) of the record is the digest of a "trust anchor", be aware that this
@@ -56,7 +56,7 @@ their page linked to above has a list of mail servers that still use a TLSA
 record with a _retired_ CA from Let's Encrypt -- and that list contains
 `bovender.de' :-/ I guess it's about time to fix that!
 
-## Let's Eencrypt's chains of trust
+## Let's Encrypt's chains of trust
 
 Let's Encrypt's chains of trust are described here:
 
@@ -71,7 +71,7 @@ Let's Encrypt lists four active intermediate CAs:
 - R10 and R11 for certificates with RSA public keys
 
 To find out which of the two algorithms (ECDSA and RSA) was used to generate
-your mail server's certificate, SSH into your server, navigate to
+your mail server's certificate, ssh into your server, navigate to
 `/etc/letsencrypt/live/<mailserver-certificate-name>` as root and issue:
 
 ```text
@@ -93,7 +93,9 @@ Certificate:
 
 Thus, my mail server's current (!) certificate was issued by **R11**.
 
-This may be different in the future. For example, currently my web server's certificate uses the ECDSA algorithm:
+This may be different in the future when the certificate is renewed.
+
+Currently my web server's certificate uses the ECDSA algorithm:
 
 ```text
 $ cd ../bovender/
@@ -177,7 +179,7 @@ the pound sign (`#`) MUST NOT be included in the record, of course.
 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 # R11
 ```
 
-Following the advice by "~viktor" on [ISI.edu][isi], I have left only those two
+Following the advice by _viktor_ on [ISI.edu][isi], I have left only those two
 records in my DNS zone that represent currently used intermediate CAs (R10 and
 R11). I know that `certbot` will not issue ECDSA certificates for my mail server
 because the configuration file (see above) contains the line `key_type=RSA`. My
@@ -186,14 +188,14 @@ web server as [Chrome and Firefox do not support it][dane].
 
 ## Verify the validity of the TLSA record
 
-To test the DANE works as expected, try one of these sites:
+To test that DANE works as expected, try one of these sites:
 
 - <https://www.mailhardener.com/tools/dane-validator?domain=bovender.de>
 - <https://dane.sys4.de/smtp/bovender.de>
-- <https://www.nslookup.io/domains/bovender.de/dns-records/tlsa/>
 
-Place this into your DNS records and wait for the updated records to propagate
-worldwide.
+Query TLSA records:
+
+- <https://www.nslookup.io/domains/_25._tcp.bovender.de/dns-records/tlsa/>
 
 ## "Die Moral von der Geschicht"