Letsencrypt-dane-tlsa-bind9
Patrick Domack
patrickdk at patrickdk.com
Mon Nov 21 03:32:03 CET 2016
Quoting "John @ KLaM" <john at klam.ca>:
> I am not going the CSR route so I am assuming that if I do this
> whenever certbot is run I should wind up with an upto date tlsa
> record.
You will have an uptodate tlsa record, the problem is, everyone else
won't. They will have the old cached value without this new entry. For
this purpose, I do a cold rolling, and wait 2 weeks before I use the
new certificate and key. It's the same idea as rotating your zsk and
ksk keys.
> My problem is how to get bind to recognise that there has been change.
Instead of dropping it in a file, use nsupdate.
More information about the dane-users
mailing list