Letsencrypt & TLSA - automation
john at klam.ca
Mon Feb 20 11:49:11 CET 2017
I am not sure, I have used INCLUDE statements in my zone files in the
past. But some people don't like them.
My thinking is that immediately after a cert update I would include two
files current and current -1 (probably using symlinks), after the TTL
period has past/expired I would remove current -1. Removing it might
mean that I update its symlink to point to an "empty" file. not literal
empty but only contains a comment(s)??
Another way, one that to me this feels extremely clumsy and as a result
I am not too keen on. Might be to have two copies of the zone file, a
working zone file and an operation zone file. The operational zone is
created by concatenation of the working file + the current TLSA file +
the expiring TLSA file during the TTL period.
Still have not worked out how to update the SOA sequence number, bearing
in mind that the the Bind zone file is somewhat free form.
More information about the dane-users