Deployment news ( publishes TLSA RRs)

Patrick Domack patrickdk at
Sat Nov 21 04:38:14 CET 2015

Quoting Viktor Dukhovni <ietf-dane at>:

> On Fri, Nov 20, 2015 at 09:48:43PM -0500, Patrick Domack wrote:
>> Yes, I have noticed it is a big movement in germany. Have had a lot of
>> people asking for help on setting up dane the last few months from there.
>> But can't get any movement that is noticable here in the usa.
> Perhaps we need a new protocol by which a TLS server can securely
> pre-publish the next certificate without activating it (say include
> it in a new TLS extension), thus allowing the DNS server operator
> to automate TLSA record updates by querying the SMTP server
> (authenticated via the current records).

That sounds pretty difficult to adjust for, and would need a lot of changes.

I like the current dnssec method, where we can publish multiple keys.  
I will generally publish a new key a month ahead of time for my ksk  
rollover, then rotate it, and then a month later remove the old key.

The same method could be done for tlsa, by publishing multiple  
records. I have not tested if any software accepts this or not, but  
just publishing the new one a week ahead of time, rotating it, and  
removing the old one at the same or later time (in case of failback),  
to me sounds like the perferred method.

More information about the dane-users mailing list