Best practice TLSA RRs for CA-issued certs

Michael Grimm trashcan at
Thu Dec 29 22:12:51 CET 2016

On 29 Dec 2016, at 21:56, Patrick Domack <patrickdk at> wrote:
> Quoting Michael Grimm <trashcan at>:

>> But until that time, I will avoid human intervention into a process where two autorotation tools go for "incompatible" tasks :-) Or is there one single tool dealing with DNSSEC, TLSA rotation, and LE upgrades on the market?
> You just add it as part of your certificate update script.
> Just like you would have it bind a call to update like apache for certificate pinning, you have it call nsupdate to add the new tlsa record into your dns server.

Well, that sound much better than assumed. But I will test it in a test jail, first.

Thank you, again, and with kind regards,

More information about the dane-users mailing list