DANE rollover: selector type

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jul 13 16:42:31 CEST 2018

On Fri, Jul 13, 2018 at 03:15:57PM +0200, Dennis Baaten wrote:

> In your presentation named "Real World DANE Inter-domain email transport"
> (https://static.ptbl.co/static/attachments/169319/1520904692.pdf) you
> describe two approaches to handle a certificate change from a DANE
> perspective: "current + next", and "current + issuer CA". In the given
> example you use a "1" (certificate public key) for the TLSA parameter
> "selector". I'm wondering whether this example is meant to imply that
> selector type "1" is preferred over selector type "0" (full certificate)? 

Yes, "1" is preferred for public CAs, where you don't control the
timing of issuer certificate renewals, and typically (e.g. Let's
Encrypt) the CA continues to use the same key, with a newly issued

> In my opinion the selector type should not matter, making a "311 + 211" just
> as good as a "301 + 211". Would you agree?

As for DANE-EE(3), "3 1 1" is also preferred, though if you always
change keys when renewing the certificate, then it indeed it does
not matter very much.


More information about the dane-users mailing list