20 Nov
2016
20 Nov
'16
9:32 p.m.
Quoting "John @ KLaM" john@klam.ca:
I am not going the CSR route so I am assuming that if I do this whenever certbot is run I should wind up with an upto date tlsa record.
You will have an uptodate tlsa record, the problem is, everyone else won't. They will have the old cached value without this new entry. For this purpose, I do a cold rolling, and wait 2 weeks before I use the new certificate and key. It's the same idea as rotating your zsk and ksk keys.
My problem is how to get bind to recognise that there has been change.
Instead of dropping it in a file, use nsupdate.