john at klam.ca
Wed Apr 26 18:29:35 CEST 2017
I have been working on a renew-hook for letsencrypt/certbot.
The idea was that it would generate new TLSA records when the
certificates were updated, automatically install them and automatically
remove the old ones after a suitable delay.
While I was putting it together I made some assumptions about the
environment that TLSA records would be found in, in particular the DNS
configuration. It seems I am probably wrong.
Is an automatic TLSA update system worth doing? Are the prerequisites
that I think might make it work too onerous. Eg. Linux servers, need
SRV records in order to determine the port and host for each TLSA record.
More information about the dane-users