I don't see how that is valid at all. It can be used as a hint, but
not a hard rule.
I publish 3 records, past certificate that is rotated out, current,
and the next certificate I will roll in.
You should be publishing your standby/failover certificate, if you
want to handle a compromised certificate case.
Quoting John <[email protected]>:
Are the following assumptions reasonable?
if there are multiple TLSA dane-ee (type 3) records for a particular
service, none of which match the current generated record, they can
(maybe should) be deleted.
The same "rule" can be could be applied to dane type 2 records.
