Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> writes:
> On Mon, May 22, 2023 at 09:53:36PM -0400, Viktor Dukhovni via Postfix-users > wrote: > >> Key reuse as a *default* rollover approach is robust. When it is time >> to change keys, one can do so deliberately, and with due care to >> prepublish TLSA records matching the *next* key, then after a few TTLs >> deploy the next certificate, and at that point drop the outdated TLSA RR >> matching the old keys. Meanwhile, root CAs reuse the same RSA 2048-bit >> key for decades. > > To that end, though it is not yet feature-complete, I am announcing > a "beta" release of "danebot", which is a wrapper around "certbot" > that supports safe key rollover (with by default stable reused keys) > in combination with "3 1 1" TLSA records. > > At this point, I am particularly looking for adoption from experienced > shell script developers, who might add missing features or having > examined the code might help to improve the documentation. > > That said, "danebot" can be used as-is (I've been using it for over a > year) by anyone who is not a novice with "certbot". > > https://github.com/tlsaware/danebot > > The same design principles can surely (and perhaps even more easily) > be adapted to other ACME clients. Contributions along those lines > also welcome (likely as variants of the "certbot" script). Thanks for good tool, because still i feel very hard to make "3 1 1" tlsa things. Someday far later, i'll try this "3 1 1" things. Actually i cannot say anything about DANE. Still work in progress ... Sincerely, Byung-Hee _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
