LetsDNS working example configuration
Ralph Seichter
ralph at ml.seichter.de
Tue Apr 12 22:03:23 CEST 2022
Re Viktor mentioning earlier on the Postfix mailing list that "there's
a need for an example complete config file":
https://letsdns.org/example.html shows a complete and functioning
example, in which I have only changed the domain name to example.com.
Dehydrated stores newly issued (i.e. queued) Let's Encrypt certificates
in /var/lib/dehydrated/certs/example.com and calls LetsDNS from a hook
function. LD generates DNS records for both the queued and the active
certificate (found in /etc/postfix/tls). Two days later the queued cert
is copied over the active one.
This ensures a non-breaking certificate roll-over, further backed by the
TLSA records LetsDNS generates for the CA certificate. Also, as is
mentioned in the docs, LetsDNS deduplicates TLSA records automatically
to avoid superfluous entries if possible.
I hope this sheds a bit more light on what is happening.
-Ralph
More information about the dane-users
mailing list