yup, I have separate certs for mail & web. i'd just mistakenly added the ocsp
opts to all.
quick fixed the mail cert, removing it; web certs keep it 'on', here.
testssl check of mail cert now confirms:
...
Certificate Revocation List --
OCSP URI http://r3.o.lencr.org
OCSP stapling not offered
OCSP must staple extension --
...
tlsa/dane "3 1 1" usage is noted
thx for the 'danectl' script.
i've my own key/record mgmt script that deals with my distributed dns, web &
mail servers. for LE-certs, DNSSEC, etc -- acme-based.
works well enough. especially, as mentioned, with the bind9 integrations for
key mgmt.
yes, registrars' general lack of support for CDS/CDNSKEY is ... annoying. from mine,
i've got years of 'assurances' that "we're working on it. it'll be done in 2-3
months".
of course, not so much :-/ still 'someday' for _full_ automation.
thx all!
