LetsDNS working example configuration
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Apr 12 22:32:55 CEST 2022
On Tue, Apr 12, 2022 at 10:03:23PM +0200, Ralph Seichter wrote:
> Re Viktor mentioning earlier on the Postfix mailing list that "there's
> a need for an example complete config file":
>
> https://letsdns.org/example.html shows a complete and functioning
> example, in which I have only changed the domain name to example.com.
>
> Dehydrated stores newly issued (i.e. queued) Let's Encrypt certificates
> in /var/lib/dehydrated/certs/example.com and calls LetsDNS from a hook
> function. LD generates DNS records for both the queued and the active
> certificate (found in /etc/postfix/tls). Two days later the queued cert
> is copied over the active one.
>
> This ensures a non-breaking certificate roll-over, further backed by the
> TLSA records LetsDNS generates for the CA certificate. Also, as is
> mentioned in the docs, LetsDNS deduplicates TLSA records automatically
> to avoid superfluous entries if possible.
>
> I hope this sheds a bit more light on what is happening.
Yes, this is helpful, and I encourage you to write up how the
certificate lifecycle integrates with "letsdns", what custom
actions are supposed to do, ... who's resposible for activating
the "queued" certificate, ...
Presently it is not clear to me how the new tool is to be used.
I hope you'll have some cycles to document the key use cases.
--
Viktor.
More information about the dane-users
mailing list