Best practice TLSA RRs for CA-issued certs
Michael Grimm
trashcan at ellael.org
Thu Dec 29 22:12:51 CET 2016
On 29 Dec 2016, at 21:56, Patrick Domack <patrickdk at patrickdk.com> wrote:
>
> Quoting Michael Grimm <trashcan at ellael.org>:
>> But until that time, I will avoid human intervention into a process where two autorotation tools go for "incompatible" tasks :-) Or is there one single tool dealing with DNSSEC, TLSA rotation, and LE upgrades on the market?
>
> You just add it as part of your certificate update script.
>
> Just like you would have it bind a call to update like apache for certificate pinning, you have it call nsupdate to add the new tlsa record into your dns server.
Well, that sound much better than assumed. But I will test it in a test jail, first.
Thank you, again, and with kind regards,
Michael
More information about the dane-users
mailing list