Best practice TLSA RRs for CA-issued certs

Michael Grimm trashcan at
Fri Dec 30 11:53:21 CET 2016

On 29 Dec 2016, at 22:56, Viktor Dukhovni <ietf-dane at> wrote:

> If you:
>   * Configure LE cert renewal to NOT replace your key, just issue a new
>     certificate for the *same* key as before:
>   * Publish a "3 1 1" TLSA record for the stable public key.
> Then LE certificate renewal require no DNS changes, and can proceed in
> an automated manner via their tools.

Thank you for your clarification that *no DNS changes are required*, ..

> From time to time, you might decide that your key has been lying around on
> your server too long, and may now be compromised.  Then you create a new
> key-pair and do LE renewal with that key instead.  You then can either
> go with the process outlined in:

.. *unless* I manually go for a new key. Perfect. That is a procedure I can live with, and I will follow that approach, then.

I'd like to thank you both for your help in understanding what will be the upcoming steps when implementing LE certificates.

With kind regards and a Happy New Year,

More information about the dane-users mailing list