On Apr 26, 2017, at 12:29 PM, john john@klam.ca wrote:
Is an automatic TLSA update system worth doing?
Portability across multiple deployment architectures may be difficult, so a tool for the public is difficult. It is certainly worth doing for your own private deployment.
Linux servers, need SRV records in order to determine the port and host for each TLSA record.
For SMTP the port is always 25, and the hostnames come from the MX records, and you already need the hostnames for the certificate.
For XMPP, indeed the hostnames and ports may come from the appropriate SRV records. Once again, you'll need the hostnames to obtain the requisite certificates, with our without TLSA records in the picture.
Of course the hostnames could be in a separate configuration file, and be used to manage all of the underlying configurations:
* Generate the SRV and MX records * Configure certbot * Automate TLSA record creation
all from a single primary source managed by the administrator.