On Tue, Sep 22, 2020 at 11:23:04PM -0400, James Cloos wrote:
> I finally got around to auto-publishing 311 TLSAs when my LE certs
> renew. In doing that I added a column to keep track of the notafter
> for the cert associasted with each TLSA, and plan a daily cron job to
> delete old ones.
>
> Is there any value in waiting until some time after the associated
> cert's notafter before deleting a 311 TLSA?
Once the replacement certificate is live (all affected processes are
restarted if required) on the MX hosts using the TLSA RRset in question,
and none are prone to rolling back to the prior state, there's no reason
to keep the old TLSA record in place. No new SMTP handshakes will take
place that see the old certificate chain, and so none will need to see
the associated (now stale) TLSA "3 1 1" records.
Emergencies aside however, waiting some time (just in case), is fine.
--
Viktor.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
