On Wed, Aug 18, 2021 at 02:32:51PM +1000, raf <post...@raf.org> wrote:
> I guess the most pragmatic thing to do would be to only use DANE/TLSA > for port 25 with self-signed certificates with self-automated rollovers, > and use certbot-created certificates (without corresponding TLSA records) > for everything else. But I'd like to eventually be able to publish TLSA > records for all the ports (25/443/465/587/993/995). But that's hardly > urgent. It can wait for danebot. Let me know when it's ready for testing. I couldn't help it. I got excited and wrote a shell script called danectl to provide a DANE-friendly Certbot workflow. It has subcommands to do: - create a pair of certificates with stable keys: current and next - tell it what TLSA records you'll be wanting (port/protocol/host) - print current/next TLSA RRs for you to publish to the DNS - check that all the TLSA RRs are published - tell it what services to reload on a key rollover - rollover (then create a new next key and print its TLSA RRs) It's made it very easy for me to DANE all the things. I still update my zonefiles manually, which I prefer, but it's just copy and paste. I could automate it. I'm sure it's very inflexible and limited but it's just what I wanted: TLSA 3 1 1 only, multiple domains, configurable TLSA prefixes and services to reload, cronnable rollovers and monitoring, potentially automatable DNS updates, and simple commands. https://raf.org/danectl https://raf.org/danectl/manpages/danectl.1.html https://github.com/raforg/danectl cheers, raf
