Please note: https://dane.sys4.de/common_mistakes#3
I'd like to draw everyone's attention to:
https://dane.sys4.de/common_mistakes#3
When you are planning to replace certificates of SMTP servers with published TLSA records, you MUST *first* publish a transitional TLSA RRset:
_25._tcp.mail.example.com. IN TLSA 3 1 1 <current-digest> _25._tcp.mail.example.com. IN TLSA 3 1 1 <next-digest>
let that "burn in" for a few TTLs, while DNS caches time out the previous RRset containing only the current digest.
Then and only then, deploy the certificate chain whose leaf (public key in the above example) digest is <next-digest>. Once that appears to work, you can remove the stale digest from DNS:
_25._tcp.mail.example.com. IN TLSA 3 1 1 <next-now-current-digest>
I am seeing an uptick in the number of sites that replace their certificates, but neglect to update their TLSA records. That's not a good plan. DO NOT DO THAT. If maintaining valid TLSA records is too difficult, don't publish them, you'll be forgiven.
participants (1)
-
Viktor Dukhovni