On Mon, Jul 27, 2020 at 08:58:19PM +0000, Antonio Leding wrote:
> > You can of course use an LE cert, it does not do any obvious harm,
> > unless you also do DANE, and neither freeze the key, nor handle TLSA
> > updates correctly (in advance of cert deployment).
>
> So I’m gathering (a) not much will be gained by using a public-A
> signed cert; and (b) the PROs of using DANE + self-signed likely (or
> actually) outweigh going with an LE cert sans DANE.
Yes, (a) not much gained.
And, (b) while it is not in principle that difficult to combine DANE
with automated renewal of Let's Encrypt certs, some struggle getting all
the gears to move in unison.
If you do want to secure your inbound email, do consider DANE, but
make sure that the first thing you implement is monitoring that
checks whether DANE is working correctly, then a robust rollover
process that ensures that even somewhat stale TLSA records (in
secondary nameservers or downstream caches) never fail to
match the deployed certificate chain.
Once you have monitoring, and sound rollover process, enable DANE.
You'll of course need to have a DNSSEC-signed domain, and monitoring for
that too (including checking that signatures on key RRsets are not
unexpectedly close to expiring).
--
Viktor.
