Best practice TLSA RRs for CA-issued certs
patrickdk at patrickdk.com
Thu Dec 29 21:56:52 CET 2016
Quoting Michael Grimm <trashcan at ellael.org>:
> On 29 Dec 2016, at 20:56, Patrick Domack <patrickdk at patrickdk.com> wrote
>> Quoting Michael Grimm <trashcan at ellael.org>:
>>> #) Would it be possible to get *two* distinct LE certificates, one
>>> for the IMAP and one for the webserver ..
>>> #) .. and simultaneously *keep* my selfsigned certificate for the
>>> the mailserver ..
>>> #) .. and forget about the issues mentioned above?
>>> #) Or should I strictly separate my mailserver from the rest by
>>> means of distinct domains, instead?
>> You can get multiple certificates, I have several myself in a
>> single domain, and so this same thing.
> Thanks for your feedback. Then I will gor for that.
>> I am using an LE certificate for my DANE TLSA records, and I do
>> have the auto-rotation script update the TLSA entry. While this is
>> as simple as it sounds, dnssec makes it more complicated.
>> You have to remember your dns ttl and and dnssec rrsig ttl and
>> rrsig expiration for the given entry. I have switched to using dns
>> slave servers and in my implementation that means dnssec rrsig
>> values are signed valid for a week, so I don't push out the new
>> certificate from LE, till two weeks after I added the TLSA dns
>> record, to be safe.
> See my answers to Viktor. I am very hesitant when it comes to human
> intervention. Thus, I will avoid it.
>> The only issue I have had with selfsigned certs is that some
>> mailservers will not send you email if you use one, since the
>> sender has turned on certificate verification, and it will not fail
>> back to non-encrypted to send email. This is mainly a misconfig on
>> their part, but it matters if you want email from them. This has
>> been very minimal impact, but I have seen it a few times.
> I haven't run into that issue, yet, luckily. If that will happen to
> my users, I will have to take the burden and apply LE certificates
> for port 25 as well. But until that time, I will avoid human
> intervention into a process where two autorotation tools go for
> "incompatible" tasks :-) Or is there one single tool dealing with
> DNSSEC, TLSA rotation, and LE upgrades on the market?
You just add it as part of your certificate update script.
Just like you would have it bind a call to update like apache for
certificate pinning, you have it call nsupdate to add the new tlsa
record into your dns server.
More information about the dane-users