Best practice TLSA RRs for CA-issued certs

Michael Grimm trashcan at
Thu Dec 29 22:24:14 CET 2016

On 29 Dec 2016, at 22:01, Viktor Dukhovni <ietf-dane at> wrote:
> On Dec 29, 2016, at 3:41 PM, Michael Grimm <trashcan at> wrote:

>> Ok. But that will come to human intervention.
> The human intervention is not constrained to happen at any particular
> time at which you may be unavailable.  Rather your certificate continues
> to be *automatically* renewed with the same underlying key-pair indefinitely.
> At such time as you *choose* to perform key rotation, you run a suitable
> script to generate new keys, obtain a new cert, deploy it, update the DNS
> "TLSA 3 1 1" record and check that everything is in order.  Then you can
> let the automated tools take it from there for some indefinite new period.

Oh! I do have do admit then, that I didn't understand that approach by combining two different TLSA "types". I believed, that I wouldn't have the "supervision" about *when* to intervene manually. As I mentioned before, I am having difficulties in understanding the complete picture regarding this process. 

But, your and Patrick's feedback will let me start investigating the process of automatic LE certificate and DNSSEC/TLSA renewals in a test jail. I believe that I will understand it better by doing :-) 

>> Well, I do have to dig into postfix' documentation more thoroughly than I during the last minutes. All my users and myself are using Apple's (bench and mobile), and myself roundcube once in a while. Those clients work well in this regard, until today.
> The "smtpd_tls_cert_file" and "smtpd_tls_key_file" settings can
> take overrides in the submission entry.

I knew that you knew it :-) Thanks. I will test that.

>> #) looking for a functionality in postfix that allows for different certificates for 25 and 587
> No need for a second instance just for separate submission certs.

Again. Thanks for your feedback. I will test this.

> The folks at have automated LE certificate
> management and key rotation.  In my survey I see repeated successful
> TLSA record and certificate rollovers for domains running that stack.
> I continue to be impressed by their attention to detail.
> The mailinabox MX hosts represent 526 out of of ~2300 MX hosts with
> working TLSA records, so their stack is a noticeably large fraction
> of the deployed base (by server count, the hosting providers of course
> dominate by domain count).

Ok, it *can* be done (by professionals :-) ).

Thanks and with kind regards,

More information about the dane-users mailing list