20 Nov
2016
20 Nov
'16
9:26 p.m.
Ice recently had to switch CA, I was using Startcom but recent events make them unaccuptable. I have decided to go with Letsencrypt. This works for most things but is giving me some headaches with DANE/TLSA.
I can generate the tlsa for my dns ( bind 9) using Victor's tlsagen script. I direct the output into a file which I will be included in the DNS zone file using ($include). I am not going the CSR route so I am assuming that if I do this whenever certbot is run I should wind up with an upto date tlsa record.
My problem is how to get bind to recognise that there has been change.
Is this a workable idea? What have I got wrong?
TIA John A