Best practice TLSA RRs for CA-issued certs

Patrick Domack patrickdk at patrickdk.com
Thu Dec 29 20:56:33 CET 2016 

Quoting Michael Grimm <trashcan at ellael.org>:

> On 14 Apr 2016, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> I know, that's an old mail :-) But I have saved it for the time I  
> will be ready to deploy LE certificates. That time has come.
>
>> One approach to making sure that DANE TLSA records are less likely
>> to fail that should work well for sites using CA-issued certificates
>> is to publish both "3 1 1" and "2 1 1" TLSA records:
>>
>>    mx.example. IN TLSA 3 1 1 <digest of server public key>
>>    mx.example. IN TLSA 2 1 1 <digest of immediate issuer public key>
> […]
>
> #) Would it be possible to get *two* distinct LE certificates, one  
> for the IMAP and one for the webserver ..
> #) .. and simultaneously *keep* my selfsigned certificate for the  
> the mailserver ..
> #) .. and forget about the issues mentioned above?
>
> #) Or should I strictly separate my mailserver from the rest by  
> means of distinct domains, instead?

You can get multiple certificates, I have several myself in a single  
domain, and so this same thing.

I am using an LE certificate for my DANE TLSA records, and I do have  
the auto-rotation script update the TLSA entry. While this is as  
simple as it sounds, dnssec makes it more complicated.

You have to remember your dns ttl and and dnssec rrsig ttl and rrsig  
expiration for the given entry. I have switched to using dns slave  
servers and in my implementation that means dnssec rrsig values are  
signed valid for a week, so I don't push out the new certificate from  
LE, till two weeks after I added the TLSA dns record, to be safe.


The only issue I have had with selfsigned certs is that some  
mailservers will not send you email if you use one, since the sender  
has turned on certificate verification, and it will not fail back to  
non-encrypted to send email. This is mainly a misconfig on their part,  
but it matters if you want email from them. This has been very minimal  
impact, but I have seen it a few times.

More information about the dane-users mailing list