patrickdk at patrickdk.com
Thu Apr 20 16:50:33 CEST 2017
I don't see how that is valid at all. It can be used as a hint, but
not a hard rule.
I publish 3 records, past certificate that is rotated out, current,
and the next certificate I will roll in.
You should be publishing your standby/failover certificate, if you
want to handle a compromised certificate case.
Quoting John <john at klam.ca>:
> Are the following assumptions reasonable?
> if there are multiple TLSA dane-ee (type 3) records for a particular
> service, none of which match the current generated record, they can
> (maybe should) be deleted.
> The same "rule" can be could be applied to dane type 2 records.
More information about the dane-users