+DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 6ec4a7b5f5310953ea3d6deb3f210ba60923be16bf1450b7a45e7567e98287bc
+
+
+; full MX, sha256, TA-mode, cert-key-only
+; Indicates a trust-anchor for a chain involving an Authority Key ID extension
+; linkage, as this excites a bug in OpenSSL 1.0.2 which the DANE code has to
+; work around, while synthesizing a selfsigned parent for it.
+; As it happens it is also an intermediate cert in the CA-rooted chain, as this
+; was initially thought ot be a factor.
+;
+; openssl x509 -in aux-fixed/exim-ca/example.com/CA/Signer.pem -noout -pubkey \
+; | openssl pkey -pubin -outform DER \
+; | openssl dgst -sha256 \
+; | awk '{print $2}'
+;
+; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is.
+;
+DNSSEC mxdane256tak MX 1 dane256tak
+DNSSEC dane256tak A HOSTIPV4
+DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 7e241508cffb12c85b1b06a00268f6f7f926ba742db671f3994cbebc81368816