Ice recently had to switch CA, I was using Startcom but recent events make
them unaccuptable. I have decided to go with Letsencrypt. This works for
most things but is giving me some headaches with DANE/TLSA.
I can generate the tlsa for my dns ( bind 9) using Victor's tlsagen
script. I direct the output into a file which I will be included in the DNS
zone file using ($include).
I am not going the CSR route so I am assuming that if I do this whenever
certbot is run I should wind up with an upto date tlsa record.
My problem is how to get bind to recognise that there has been change.
Is this a workable idea?
What have I got wrong?
TIA
John A