> On 12 Apr 2022, at 12:36 pm, Erwan David <er...@rail.eu.org> wrote:
>
> Does it handle restarting/reloading a program when changing the certificate ?
> Postfix does not need it, but dovecot does.
My first impression reading the docs is that "letdns"
is not involved in certificate rollovers. Its job
is solely to automate TLSA record updates.
The documentation is rather silent about what specifically
happens when a certificate file changes:
* Are TLSA records matching the previous cert/key retained?
* For how long?
There's a need for an example complete config file. Also
more sophisticated deployment models that involved TLSA
RR CNAMEs, support for "2 1 1" records and detection of
changes in the issuing CA, ...
Also, I don't see tooling for robust cert rollover, with the
DNS changes made up front, which means that the TLSA "3 1 1"
records need to be computed from a private key file, not a
public certificate.
Thus 1.0 is an MVP snapshot, but much work remains.
--
Viktor.
