Letsencrypt & TLSA - automation

John Allen john at klam.ca
Mon Feb 20 11:49:11 CET 2017

I am not sure, I have used INCLUDE statements in my zone files in the 
past. But some people don't like them.

My thinking is that immediately after a cert update I would include two 
files current and current -1 (probably using symlinks), after the TTL 
period has past/expired I would remove current -1. Removing it might 
mean that I update its symlink to point to an "empty" file. not literal 
empty but only contains a comment(s)??

Another way, one that to me this feels extremely clumsy and as a result 
I am not too keen on. Might be to have two copies of the zone file, a 
working zone file and an operation zone file. The operational zone is 
created by concatenation of the working file + the current TLSA file + 
the expiring TLSA file during the TTL period.

Still have not worked out how to update the SOA sequence number, bearing 
in mind that the the Bind zone file is somewhat free form.


More information about the dane-users mailing list