Le 12/04/2022 à 18:52, Ralph Seichter a écrit :
* Erwan David:
Does it handle restarting/reloading a program when changing the
certificate ? Postfix does not need it, but dovecot does.
LetsDNS does not obtain or change TLS certificates, because that's what
specialised ACME clients like "dehydrated" or "certbot" are for. A hook
function in one of these clients would be a reasonable place to restart
a service.
LetsDNS generates and/or publishes DANE TLSA records matching the
certificates it reads. The example configuration I provided shows how
this can be used to gracefully roll over certificates when using a
staging mechanism.
The DANE Users mailing list <dane-us...@sys4.de> is probably better
suited for further discussion of this subject.
-Ralph
Ok, but due to DNS caching, I think that TLSA update should follow same
sort of algorithm as DNSEC key rollover. A first thought about this would be
1) generate new cert, stage it
1) publish new TLSA in DNS
2) wait DNS TTL
3) change certificate for the staged one(might have to reload/restart
some service)
4) remove old TLSA.
Thta's just a first approximation, I am not sure there is not a time
where a client has only the old TLSA and get the new cert in the connection.
as you can see, let'sDNS would have to act in cooperation with the
certificate update.
