Quoting Viktor Dukhovni ietf-dane@dukhovni.org:
On Fri, Nov 20, 2015 at 09:48:43PM -0500, Patrick Domack wrote:
Yes, I have noticed it is a big movement in germany. Have had a lot of people asking for help on setting up dane the last few months from there. But can't get any movement that is noticable here in the usa.
Perhaps we need a new protocol by which a TLS server can securely pre-publish the next certificate without activating it (say include it in a new TLS extension), thus allowing the DNS server operator to automate TLSA record updates by querying the SMTP server (authenticated via the current records).
That sounds pretty difficult to adjust for, and would need a lot of changes.
I like the current dnssec method, where we can publish multiple keys. I will generally publish a new key a month ahead of time for my ksk rollover, then rotate it, and then a month later remove the old key.
The same method could be done for tlsa, by publishing multiple records. I have not tested if any software accepts this or not, but just publishing the new one a week ahead of time, rotating it, and removing the old one at the same or later time (in case of failback), to me sounds like the perferred method.