On Tue 03/Mar/2020 14:50:14 +0100 Дилян Палаузов wrote:
on a very short notice, Let’s Encrypt revokes its certificates with the
message below. This effectively means to start
and complete TLSA/DANE/DNSSEC certificate rollover within 24h.
If timely renewal works, everything should keep on working smoothly.
Is this possible in general, when the DNS TTL on its own is 24h? Do I
understand something wrong, stating that this
mass revokation is just bad for DANE+SMTP?
How about shortening the TTL right now?
What is the right way to mass revoke certificates involved in DANE?
I think you can always get new certificates, add new TLSA records, and swap
certificates right before revocation, hoping the new records will have
propagated by then.
ietf-smtp mailing list