Best practice TLSA RRs for CA-issued certs

Viktor Dukhovni ietf-dane at
Thu Dec 29 22:01:29 CET 2016

> On Dec 29, 2016, at 3:41 PM, Michael Grimm <trashcan at> wrote:
>> Using a "3 1 1" + "2 1 1" combination simplifies
>> the rotation procedure.
> Ok. But that will come to human intervention. And that is something I do
> want to avoid. Although I am only hosting a handful users, my services
> sometimes do need to run unattended for some weeks (being abroad
> job-related, vacations, and such). Thus, I have been looking for
> a solution that works automatically like opendnssec. But that is
> not available for the combination of DANE and LE certificates.

The human intervention is not constrained to happen at any particular
time at which you may be unavailable.  Rather your certificate continues
to be *automatically* renewed with the same underlying key-pair indefinitely.

At such time as you *choose* to perform key rotation, you run a suitable
script to generate new keys, obtain a new cert, deploy it, update the DNS
"TLSA 3 1 1" record and check that everything is in order.  Then you can
let the automated tools take it from there for some indefinite new period.

>>> #) .. and forget about the issues mentioned above?
>> Yes.  Though you may need an LE certificate for the submission
>> service, depending on which clients are doing that.  (Mobile
>> phones tend to be difficult to configure for pinned non-CA trust).
> Ouch! Thanks, but I completely overlooked that issue.
> Well, I do have to dig into postfix' documentation more thoroughly than I during the last minutes. All my users and myself are using Apple's (bench and mobile), and myself roundcube once in a while. Those clients work well in this regard, until today.

The "smtpd_tls_cert_file" and "smtpd_tls_key_file" settings can
take overrides in the submission entry.

> #) looking for a functionality in postfix that allows for different certificates for 25 and 587

No need for a second instance just for separate submission certs.
The folks at have automated LE certificate
management and key rotation.  In my survey I see repeated successful
TLSA record and certificate rollovers for domains running that stack.
I continue to be impressed by their attention to detail.

The mailinabox MX hosts represent 526 out of of ~2300 MX hosts with
working TLSA records, so their stack is a noticeably large fraction
of the deployed base (by server count, the hosting providers of course
dominate by domain count).


More information about the dane-users mailing list