Again, great feedback…I am definitely diving into DANE now…may have more questions but I will try to keep those to a minimum.
Thanks again Victor - very much appreciated… > On Jul 27, 2020, at 2:44 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > On Mon, Jul 27, 2020 at 08:58:19PM +0000, Antonio Leding wrote: >>> You can of course use an LE cert, it does not do any obvious harm, >>> unless you also do DANE, and neither freeze the key, nor handle TLSA >>> updates correctly (in advance of cert deployment). >> >> So I’m gathering (a) not much will be gained by using a public-A >> signed cert; and (b) the PROs of using DANE + self-signed likely (or >> actually) outweigh going with an LE cert sans DANE. > > Yes, (a) not much gained. > > And, (b) while it is not in principle that difficult to combine DANE > with automated renewal of Let's Encrypt certs, some struggle getting all > the gears to move in unison. > > If you do want to secure your inbound email, do consider DANE, but > make sure that the first thing you implement is monitoring that > checks whether DANE is working correctly, then a robust rollover > process that ensures that even somewhat stale TLSA records (in > secondary nameservers or downstream caches) never fail to > match the deployed certificate chain. > > Once you have monitoring, and sound rollover process, enable DANE. > You'll of course need to have a DNSSEC-signed domain, and monitoring for > that too (including checking that signatures on key RRsets are not > unexpectedly close to expiring). > > -- > Viktor.