Wildcard certificate and DANE/TLSA records

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 2 22:03:57 CET 2019

> On Jan 2, 2019, at 1:32 PM, zorion <zorion at autistici.org> wrote:
> What are the implications of not having the private key in this file? I
> currently do not have it there, and I see no problems (postfix 3.1.8),
> but its possible I'm not seeing something.

When the key and certs are in separate files you lose the ability
to atomically replace both, and introduce brief races when a Postfix
process is loading the key and certs while key rotation is happening.

In Postfix 3.4, when the cert and key are in the same file, the
race is eliminated.  The condition is temporary, and infrequent,
but best avoided entirely.

As for the key first, that's a longer story, but you won't go wrong
doing it that way.


More information about the dane-users mailing list