Patrick Domack patrickdk at patrickdk.com
Mon Nov 21 03:32:03 CET 2016

Quoting "John @ KLaM" <john at klam.ca>:

> I am not going the CSR route so I am assuming that if I do this  
> whenever certbot is run I should wind up with an upto date tlsa  
> record.

You will have an uptodate tlsa record, the problem is, everyone else  
won't. They will have the old cached value without this new entry. For  
this purpose, I do a cold rolling, and wait 2 weeks before I use the  
new certificate and key. It's the same idea as rotating your zsk and  
ksk keys.

> My problem is how to get bind to recognise that there has been  change.

Instead of dropping it in a file, use nsupdate.

More information about the dane-users mailing list