On 7/31/2015 11:54 AM, Viktor Dukhovni wrote: > On Fri, Jul 31, 2015 at 11:47:55AM -0400, Mike wrote: > >> To test the server's configuration, I found this site: >> https://dane.sys4.de/ >> that lets me know if Postfix server DANE (along with DNSSEC and TLSA) is >> working as expected. So far, everything is working quite well. > > The key success metric will be whether you'll still remember that > you published TLSA records when it is tme to deploy a new SSL > certificate. > > https://dane.sys4.de/common_mistakes#3 > https://dane.sys4.de/common_mistakes > > At present indeed both of your domains are configured correctly. > Good luck. >
I had read the "common mistakes" page previously. Good, helpful stuff therein. Even before I read it, though, I modified the script I use to publish my certs to show a reminder prompt about adding/removing the TLSA records (with multiple TTL periods elapsed) *before* the new certs are published. Thanks.
