[dns-operations] removal schedule for old tlsa rrs?

[James Cloos]

i finally got around to auto-publishing 311 tlsas when my le certs
renew.  (one-handed typing really sucks.)  in doing that I added a
column to keep track of the notafter for the cert associasted with
eacy tlsa, and plan a daily cron job to delete old ones.

Is there any value in waiting until some time after the associated
cert's notafter before deleting a 311 tlsa?

Assuming of course that a replacement is in place....

Automating signals to the daemons to use the new certs comes next.
For now that step remains manual.  I am thinking of waiting a day
or so before triggering the cert reloads.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6