Assumptions

[Patrick Domack]

I don't see how that is valid at all. It can be used as a hint, but  
not a hard rule.

I publish 3 records, past certificate that is rotated out, current,  
and the next certificate I will roll in.
You should be publishing your standby/failover certificate, if you  
want to handle a compromised certificate case.



Quoting John <john at klam.ca>:

> Are the following assumptions reasonable?
>
> if there are multiple TLSA dane-ee (type 3) records for a particular  
> service, none of which match the current generated record, they can  
> (maybe should) be deleted.
>
> The same "rule" can be could be applied to dane type 2 records.