Letsencrypt & TLSA - automation
dane-users-phil at spodhuis.org
Tue Feb 21 05:38:09 CET 2017
On 2017-02-20 at 22:38 -0500, Viktor Dukhovni wrote:
> Indeed this is the key issue. The certificate provided by Let's Encrypt
> should not be deployed as the live certificate used by the MTA until the
> DNS TLSA records have been in place for at least a couple of TTLs.
This is why I just use DANE on the CA certs, with a spare CA entry, so
that I don't need to coordinate grace periods around updating DNS on
For exim.org, it's just LE. I ended up dropping down to just X3 and X4.
For my own domains, it's LE and my private CAs.
For HPKP where there is a little more room inside the TCP stream and I
set longer TTLs, I include a commercial CA too; if everything goes to
hell and I end up paying for some certs for a year, I at least have an
exit plan. I can add to DNS as-and-when needed.
More information about the dane-users