Please note:

Viktor Dukhovni ietf-dane at
Tue May 5 01:26:59 CEST 2015

I'd like to draw everyone's attention to:

When you are planning to replace certificates of SMTP servers with
published TLSA records, you MUST *first* publish a transitional
TLSA RRset: IN TLSA 3 1 1 <current-digest> IN TLSA 3 1 1 <next-digest>

let that "burn in" for a few TTLs, while DNS caches time out the
previous RRset containing only the current digest.

Then and only then, deploy the certificate chain whose leaf (public
key in the above example) digest is <next-digest>.  Once that appears
to work, you can remove the stale digest from DNS: IN TLSA 3 1 1 <next-now-current-digest>

I am seeing an uptick in the number of sites that replace their
certificates, but neglect to update their TLSA records.  That's
not a good plan.  DO NOT DO THAT.  If maintaining valid TLSA records
is too difficult, don't publish them, you'll be forgiven.


More information about the dane-users mailing list