* Viktor Dukhovni: > My first impression reading the docs is that "letdns" is not involved > in certificate rollovers. Its job is solely to automate TLSA record > updates.
Indeed. > Are TLSA records matching the previous cert/key retained? No, LetsDNS is stateless beyond the configuration files' content. What exactly happens during each run depends on the configured actions. The dane-tlsa live DNS update removes existing TLSA records and generates new ones for the certificates configured in this particular run. > There's a need for an example complete config file. Also > more sophisticated deployment models that involved TLSA > RR CNAMEs, support for "2 1 1" records and detection of > changes in the issuing CA, ... "2 1 1" records are already generated; see https://dane.sys4.de/smtp/seichter.de > Also, I don't see tooling for robust cert rollover [...] This already works, but I agree that the documentation is quite sparse at this point. > Thus 1.0 is an MVP snapshot, but much work remains. I invite you and other interested parties to discuss this on GitHub [1] rather than the Postfix mailing list. Release 1.0 is meant to provide core functionality, and follows the "release erly and often" approach. There is of course room for enhancements. -Ralph [1] https://github.com/LetsDNS/letsdns/discussions
