Letsencrypt & TLSA - automation

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Feb 21 05:47:28 CET 2017

> On Feb 20, 2017, at 11:38 PM, Phil Pennock <dane-users-phil at spodhuis.org> wrote:
> This is why I just use DANE on the CA certs, with a spare CA entry, so
> that I don't need to coordinate grace periods around updating DNS on
> each renewal.
> For exim.org, it's just LE.  I ended up dropping down to just X3 and X4.
> For my own domains, it's LE and my private CAs.

Thanks for that note.

If one is willing to issue leaf certs from a private CA, that's by far
the most robust option for port 25, where having a public trusted CA
in the chain is not particularly useful.

By all means, use LE on ports 587/465 for submission from mass-market
MUAs, but MTAs will either be opportunistic unauthenticated, or verify
private EE/private TA certs.

I'll probably add some code to Postfix 3.3 to make it easy to create
a TA key/cert + EE key/cert issued by said TA.  And code to roll these
as described in the various messages I keep posting links to.

Updating the DNS will require a user-provided hook.


More information about the dane-users mailing list