Patrick Domack patrickdk at
Thu Apr 20 16:50:33 CEST 2017

I don't see how that is valid at all. It can be used as a hint, but  
not a hard rule.

I publish 3 records, past certificate that is rotated out, current,  
and the next certificate I will roll in.
You should be publishing your standby/failover certificate, if you  
want to handle a compromised certificate case.

Quoting John <john at>:

> Are the following assumptions reasonable?
> if there are multiple TLSA dane-ee (type 3) records for a particular  
> service, none of which match the current generated record, they can  
> (maybe should) be deleted.
> The same "rule" can be could be applied to dane type 2 records.

More information about the dane-users mailing list