Best practice TLSA RRs for CA-issued certs
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Dec 29 22:29:26 CET 2016
>
> On Dec 29, 2016, at 4:24 PM, Michael Grimm <trashcan at ellael.org> wrote:
>
>> The folks at https://mailinabox.email/ have automated LE certificate
>> management and key rotation. In my survey I see repeated successful
>> TLSA record and certificate rollovers for domains running that stack.
>> I continue to be impressed by their attention to detail.
>>
>> The mailinabox MX hosts represent 526 out of of ~2300 MX hosts with
>> working TLSA records, so their stack is a noticeably large fraction
>> of the deployed base (by server count, the hosting providers of course
>> dominate by domain count).
>
> Ok, it *can* be done (by professionals :-) ).
Perhaps "dedicated volunteers" is a more apt description. You might
find that using their software is simpler than "do it yourself" (DIY).
If all you want is a low-effort working mailserver for a personal
domain, check out the mailinabox.email option.
--
Viktor.
More information about the dane-users
mailing list