I have been working on a renew-hook for letsencrypt/certbot.
The idea was that it would generate new TLSA records when the certificates were updated, automatically install them and automatically remove the old ones after a suitable delay.
While I was putting it together I made some assumptions about the environment that TLSA records would be found in, in particular the DNS configuration. It seems I am probably wrong.
Is an automatic TLSA update system worth doing? Are the prerequisites that I think might make it work too onerous. Eg. Linux servers, need SRV records in order to determine the port and host for each TLSA record.
John A
