On Wed, Nov 07, 2018 at 08:07:46AM -0800, Alice Wonder wrote:
> It may also be of benefit to zones that use DNSSEC but who want to
> automate Let's Encrypt certificate renewal. Automation of LE renewal is
> tricky when the private key changes so often because you have to have a
> new fingerprint in TLSA before it goes into service.
FWIW, I've reached out to the certbot maintainers, and we may see
some improvement in that space before too long. That is, certbot
may get updated to explicitly support TLSA records, by automatically
rotating keys in a TLSA-safe manner. This is already possible with
some local scripting, but the goal is to make that a built-in feature
of certbot.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
