Letsencrypt & TLSA - automation

Phil Pennock dane-users-phil at spodhuis.org
Tue Feb 21 05:38:09 CET 2017

On 2017-02-20 at 22:38 -0500, Viktor Dukhovni wrote:
> Indeed this is the key issue.  The certificate provided by Let's Encrypt
> should not be deployed as the live certificate used by the MTA until the
> DNS TLSA records have been in place for at least a couple of TTLs.

This is why I just use DANE on the CA certs, with a spare CA entry, so
that I don't need to coordinate grace periods around updating DNS on
each renewal.

For exim.org, it's just LE.  I ended up dropping down to just X3 and X4.

For my own domains, it's LE and my private CAs.

For HPKP where there is a little more room inside the TCP stream and I
set longer TTLs, I include a commercial CA too; if everything goes to
hell and I end up paying for some certs for a year, I at least have an
exit plan.  I can add to DNS as-and-when needed.


More information about the dane-users mailing list