> On Apr 12, 2018, at 11:21 PM, Philip Paeps <phi...@trouble.is> wrote: > > As pointed out, you don't need to restart (and usually don't even need to > reload) Postfix for the new keys and certificates to take effect. > > However: do keep in mind that if you're using DANE and you're replacing the > keys, you need to allow enough time for the keys to roll over in the DNS. > > Unless you have a real need to change replace the keys (e.g. compromise, > policy), it may be easier to simply reissue the certificate without > generating new keys. In that case, you can use "3 1 1" TLSA records in the > DNS and you don't need to roll them when you're simply reissuing your > certificates.
For mistakes to avoid and the latest best practice key rotation approaches for DANE see: https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3 The original timing considerations are described in: http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 but the ideas in the ICANN61 slides incorporate more recent insights. -- Viktor.