> -----Original Message----- > From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> > On Behalf Of Antonio Leding > Sent: Monday, July 27, 2020 6:56 PM > To: postfix-users@postfix.org > Subject: Re: What is lost by using self-signed certs for TLS? > > Thanks Victor - actually watching some of the presos now… > > BTW…any choice you like for DNSSEC providers? Google seems like a safe > bet but I figured you might have some feedback on this as well…
I use Google. They've been reliable, inexpensive (for my small zones), and they do support DNSSEC and TLSA record publication. If you use them, you're going to need to do some scripting using the Let's Encrypt renewal hooks and gcloud to update your TLSA record(s) every time you renew your certificate(s). Viktor does some automated checking that's caught the few times when my TLSA re-generation script has gone awry, so don't worry, if you publish a bad TLSA record you'll find out soon enough! Scott
