+DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 cb0fa6a633e52c787657f5ca0da1030800223cac459577b9b6a55ac9733348e5
+
+
+; full MX, sha256, TA-mode, cert-key-only
+; Indicates a trust-anchor for a chain involving an Authority Key ID extension
+; linkage, as this excites a bug in OpenSSL 1.0.2 which the DANE code has to
+; work around, while synthesizing a selfsigned parent for it.
+; As it happens it is also an intermediate cert in the CA-rooted chain, as this
+; was initially thought ot be a factor.
+;
+; openssl x509 -in aux-fixed/exim-ca/example.com/CA/Signer.pem -noout -pubkey \
+; | openssl pkey -pubin -outform DER \
+; | openssl dgst -sha256 \
+; | awk '{print $2}'
+;
+; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is.
+;
+DNSSEC mxdane256tak MX 1 dane256tak
+DNSSEC dane256tak A HOSTIPV4
+DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9