Best practice TLSA RRs for CA-issued certs

Viktor Dukhovni ietf-dane at
Thu Dec 29 22:56:58 CET 2016

> On Dec 29, 2016, at 4:47 PM, Michael Grimm <trashcan at> wrote:
> I only had had the fear that mailing might break while being abroad,
> because manual intervention might have been missed during such a
> period in time.

A reasonable concern, a large fraction of LE users botch the cert renewal
interaction with TLSA one or more times before they eventually figure out
how to do it right.

If you:

   * Configure LE cert renewal to NOT replace your key, just issue a new
     certificate for the *same* key as before:

   * Publish a "3 1 1" TLSA record for the stable public key.

Then LE certificate renewal require no DNS changes, and can proceed in
an automated manner via their tools.

From time to time, you might decide that your key has been lying around on
your server too long, and may now be compromised.  Then you create a new
key-pair and do LE renewal with that key instead.  You then can either
go with the process outlined in:

Or, if you trust LE to not issue certificates for your domain to
strangers (the verification process for DV certificates is not
especially strong), you can use the "3 1 1 + 2 1 1" approach to
simplify the deployment process.


More information about the dane-users mailing list