Does DANE offer the ability to provide certificates for services? Or is it just hosts?
How does one specify a mail server with DANE? If my email is jd@foo.com but mail.bar.com is the email server, then do I publish mail.bar.com for the foo.com domain? Here, mail.bar.com may be operated by someone else (in my case, its my server but my mail server is home to three domains).
This information was taken from the article from noflex.org: Implementing DNSSEC and DANE for email (archive.org snapshot). Here some summary of this long article
What you need is:
To use DANE in mail server, first you must enable DNSSEC for your domain foo.com as DNSSEC was requirement for DANE. The DNSSEC key also was copied to registar. After that specify MX record(s) for this domain, for example mail.bar.com. mail.bar.com record should be queried with DNSSEC too.
Now, SMTP client perform DANE for mail.bar.com, the hostname obtained from MX record of foo.com. To do that, client will perform query to _25._tcp.mail.bar.com.Remember that SMTP is talk through TCP port 25.
So you must add the hash of your-SMTP-server-certificate to _25._tcp.mail.bar.com with type: TLSA.
Now, SMTP may perform verifying peername. To pass it, you should set CN for the certificate with hostname obtained from MX record e.g. mail.bar.com. See this discussion about it in SF: What host name should the SSL certificate for an SMTP server contain?
