On Mon, Jul 27, 2020 at 07:53:09PM -0400, Scott Hollenbeck wrote:
> If you use them, you're going to need to do some scripting using the
> Let's Encrypt renewal hooks and gcloud to update your TLSA record(s)
> every time you renew your certificate(s). Viktor does some automated
> checking that's caught the few times when my TLSA re-generation script
> has gone awry, so don't worry, if you publish a bad TLSA record you'll
> find out soon enough!
I don't recommend relying solely on the DANE survey engine for
monitoring. The alerts are neither especially timely, nor will continue
to be sent indefinitely. One enough notices fail to break the pattern
of periodic outages, I stop sending the notices.
--
Viktor.
