[Top] [All Lists]

Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

2020-03-03 12:26:19
On Tue 03/Mar/2020 14:50:14 +0100 Дилян Палаузов wrote:

on a very short notice, Let’s Encrypt revokes its certificates with the 
message below.  This effectively means to start
and complete TLSA/DANE/DNSSEC certificate rollover within 24h.

If timely renewal works, everything should keep on working smoothly.

Is this possible in general, when the DNS TTL on its own is 24h?  Do I 
understand something wrong, stating  that this
mass revokation is just bad for DANE+SMTP?

How about shortening the TTL right now?

What is the right way to mass revoke certificates involved in DANE?

I think you can always get new certificates, add new TLSA records, and swap
certificates right before revocation, hoping the new records will have
propagated by then.


ietf-smtp mailing list