Best practice TLSA RRs for CA-issued certs

Patrick Domack patrickdk at
Thu Dec 29 21:56:52 CET 2016

Quoting Michael Grimm <trashcan at>:

> On 29 Dec 2016, at 20:56, Patrick Domack <patrickdk at> wrote
>> Quoting Michael Grimm <trashcan at>:
>>> #) Would it be possible to get *two* distinct LE certificates, one  
>>> for the IMAP and one for the webserver ..
>>> #) .. and simultaneously *keep* my selfsigned certificate for the  
>>> the mailserver ..
>>> #) .. and forget about the issues mentioned above?
>>> #) Or should I strictly separate my mailserver from the rest by  
>>> means of distinct domains, instead?
>> You can get multiple certificates, I have several myself in a  
>> single domain, and so this same thing.
> Thanks for your feedback. Then I will gor for that.
>> I am using an LE certificate for my DANE TLSA records, and I do  
>> have the auto-rotation script update the TLSA entry. While this is  
>> as simple as it sounds, dnssec makes it more complicated.
>> You have to remember your dns ttl and and dnssec rrsig ttl and  
>> rrsig expiration for the given entry. I have switched to using dns  
>> slave servers and in my implementation that means dnssec rrsig  
>> values are signed valid for a week, so I don't push out the new  
>> certificate from LE, till two weeks after I added the TLSA dns  
>> record, to be safe.
> See my answers to Viktor. I am very hesitant when it comes to human  
> intervention. Thus, I will avoid it.
>> The only issue I have had with selfsigned certs is that some  
>> mailservers will not send you email if you use one, since the  
>> sender has turned on certificate verification, and it will not fail  
>> back to non-encrypted to send email. This is mainly a misconfig on  
>> their part, but it matters if you want email from them. This has  
>> been very minimal impact, but I have seen it a few times.
> I haven't run into that issue, yet, luckily. If that will happen to  
> my users, I will have to take the burden and apply LE certificates  
> for port 25 as well. But until that time, I will avoid human  
> intervention into a process where two autorotation tools go for  
> "incompatible" tasks :-) Or is there one single tool dealing with  
> DNSSEC, TLSA rotation, and LE upgrades on the market?

You just add it as part of your certificate update script.

Just like you would have it bind a call to update like apache for  
certificate pinning, you have it call nsupdate to add the new tlsa  
record into your dns server.

More information about the dane-users mailing list