patrickdk at patrickdk.com
Mon Nov 21 03:32:03 CET 2016
Quoting "John @ KLaM" <john at klam.ca>:
> I am not going the CSR route so I am assuming that if I do this
> whenever certbot is run I should wind up with an upto date tlsa
You will have an uptodate tlsa record, the problem is, everyone else
won't. They will have the old cached value without this new entry. For
this purpose, I do a cold rolling, and wait 2 weeks before I use the
new certificate and key. It's the same idea as rotating your zsk and
> My problem is how to get bind to recognise that there has been change.
Instead of dropping it in a file, use nsupdate.
More information about the dane-users