ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

2020-03-03 12:26:19
On Tue 03/Mar/2020 14:50:14 +0100 Дилян Палаузов wrote:
Hello,

on a very short notice, Let’s Encrypt revokes its certificates with the 
message below.  This effectively means to start
and complete TLSA/DANE/DNSSEC certificate rollover within 24h.


If timely renewal works, everything should keep on working smoothly.


Is this possible in general, when the DNS TTL on its own is 24h?  Do I 
understand something wrong, stating  that this
mass revokation is just bad for DANE+SMTP?


How about shortening the TTL right now?


What is the right way to mass revoke certificates involved in DANE?


I think you can always get new certificates, add new TLSA records, and swap
certificates right before revocation, hoping the new records will have
propagated by then.


hth
Ale
-- 
































_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp