Best practice TLSA RRs for CA-issued certs

Viktor Dukhovni ietf-dane at
Thu Dec 29 20:47:28 CET 2016

> On Dec 29, 2016, at 2:31 PM, Michael Grimm <trashcan at> wrote:
>> In particular, this is the best practice with Let's Encrypt
>> issued SMTP server certificates, as explained in:
> First of all I do have to admit that I am lacking knowledge when it comes to certificates, in general. Sofar, I got along with selfsigned certificates that I did generate with the help of all those numerous howtos one can find. It worked.

See also:

> If I do remember correctly, and if I do understand your conclusions in other mails correctly, long lasting selfsigned certificates plus periodically rotated TLSAs are still a good basis to run a secured mailserver at port 25. (FYI: I am using opendnssec for rotating every 3 month.)

Yes, you're mostly better off self-signed on port 25.

> After having read this best practice document, I am still hesitant to deploy a LE certificate to my mailserver's domain, because I do not understand all the implications, yet.

LE means automatic rotation of the cert (by default with a new key)
approximately every 90 days.  That can mean that you also need to
implement unattended rotation of your TLSA records, but I think it
is simpler to use a stable key-pair, which is rotated less frequently,
and interactively.  Using a "3 1 1" + "2 1 1" combination simplifies
the rotation procedure.

> Thus I would like to raise some newbie questions regarding the following project:
> 	domain:
> 	mailserver: with TLSA 3 1 1
> 	IMAP server:
> 	webserver:
> #) Would it be possible to get *two* distinct LE certificates, one for the IMAP and one for the webserver ..

Certainly if you use different hostnames "", ... "" as above.

> #) .. and simultaneously *keep* my selfsigned certificate for the the mailserver ..

Of course.

> #) .. and forget about the issues mentioned above?

Yes.  Though you may need an LE certificate for the submission
service, depending on which clients are doing that.  (Mobile
phones tend to be difficult to configure for pinned non-CA trust).

> #) Or should I strictly separate my mailserver from the rest by means
> of distinct domains, instead?

Hostnames under a common domain should be fine.  Mind you, I've no
experience actually using LE (at present), but I can't imagine that
it would be difficult to obtain separate certificates for various
names under a common domain.


More information about the dane-users mailing list