John @ KLaM john at klam.ca
Mon Nov 21 03:26:30 CET 2016

Ice recently had to switch CA, I was using Startcom but recent events make 
them unaccuptable. I have decided to go with Letsencrypt. This works for 
most things but is giving me some headaches with DANE/TLSA.

I can generate the tlsa  for my dns ( bind 9) using Victor's tlsagen 
script. I direct the output into a file which I will be included in the DNS 
zone file using ($include).
I am not going the CSR route so I am assuming that if I do this whenever 
certbot is run I should wind up with an upto date tlsa record.

My problem is how to get bind to recognise that there has been  change.

Is this a workable idea?
What have I got wrong?

John A

More information about the dane-users mailing list