Best practice TLSA RRs for CA-issued certs

Viktor Dukhovni ietf-dane at
Thu Dec 29 22:29:26 CET 2016

> On Dec 29, 2016, at 4:24 PM, Michael Grimm <trashcan at> wrote:
>> The folks at have automated LE certificate
>> management and key rotation.  In my survey I see repeated successful
>> TLSA record and certificate rollovers for domains running that stack.
>> I continue to be impressed by their attention to detail.
>> The mailinabox MX hosts represent 526 out of of ~2300 MX hosts with
>> working TLSA records, so their stack is a noticeably large fraction
>> of the deployed base (by server count, the hosting providers of course
>> dominate by domain count).
> Ok, it *can* be done (by professionals :-) ).

Perhaps "dedicated volunteers" is a more apt description.  You might
find that using their software is simpler than "do it yourself" (DIY).
If all you want is a low-effort working mailserver for a personal
domain, check out the option.


More information about the dane-users mailing list