20 Apr
2017
20 Apr
'17
4:50 p.m.
I don't see how that is valid at all. It can be used as a hint, but not a hard rule.
I publish 3 records, past certificate that is rotated out, current, and the next certificate I will roll in. You should be publishing your standby/failover certificate, if you want to handle a compromised certificate case.
Quoting John john@klam.ca:
Are the following assumptions reasonable?
if there are multiple TLSA dane-ee (type 3) records for a particular service, none of which match the current generated record, they can (maybe should) be deleted.
The same "rule" can be could be applied to dane type 2 records.