Given that the gentoo.org zone is signed, it would be beneficial to add tlsa records. At the very least, _25._tcp.mail.gentoo.org and _25._tcp.lists.gentoo.org should be added. (But fix bug #502370 before adding _25._tcp.lists.gentoo.org. A type 3 cert for _25._tcp.mail.gentoo.org can be added at any time.) 3 1 1 or 3 0 1 tlsa do well for mx. Entries for the https servers also can be added.
How would DANE be useful?
It would enable MTAs which send to @lists.gentoo.org and @gentoo.org to verify that the mail actually makes it to the MX. And without a MitM. Even though not many support checking (postfix added it in 2.11, the current ~ version) yet, most MTAs do not link in the /etc/ssl/certs CAs, and as such will do no verifications w/o dane. And given that gentoo.org is already signed, the cost is negligible. As an aside, debian supports dane, and the ietf MXs will add it as soon as the contractor gets tls working. Which is expected to be right after the upcoming meeting. There will, I expect, over time also be a positive reputation benefit for the project in the form of evidence of security conscienceness and community leadership.
I'll get there, I have promised DANE for a long time for Gentoo, I just need to work on better automating generation of the DNS records from our certs. Not just for mail, but for WWW as well.
*** Bug 508756 has been marked as a duplicate of this bug. ***
Created attachment 375766 [details] tlsagen Attached is the script I use to generate the TLSA records for MX hosts (courtesy of Victor Duchovni of postfix). $ tlsagen cert.pem $(uname -n) DANE-EE PKEY SHA2-256 _25._tcp.mail.example.com IN TLSA 3 1 1 {hex string} where "cert.pem" is the file with the SMTP server certificate, and $(uname -n) is the fully-qualified domain name of the server as an MX host for your domain. The shell script expects OpenSSL 1.0.0 or later, and will not work with earlier versions. When rotating keys, publish both the new and old TLSA records well in advance. Adjust as needed for https. Hope it helps.
While DANE/TLSA is available for gentoo.org, forums.gentoo.org or gitweb.gentoo.org, it is not available for wiki.gentoo.org and bugs.gentoo.org. Can you please have a look?
TLSA implemented everywhere, please open new bugs for any missing parts you see