[dns-operations] removal schedule for old tlsa rrs?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Sep 23 03:35:03 UTC 2020


On Tue, Sep 22, 2020 at 11:23:04PM -0400, James Cloos wrote:

> I finally got around to auto-publishing 311 TLSAs when my LE certs
> renew.  In doing that I added a column to keep track of the notafter
> for the cert associasted with each TLSA, and plan a daily cron job to
> delete old ones.
> 
> Is there any value in waiting until some time after the associated
> cert's notafter before deleting a 311 TLSA?

Once the replacement certificate is live (all affected processes are
restarted if required) on the MX hosts using the TLSA RRset in question,
and none are prone to rolling back to the prior state, there's no reason
to keep the old TLSA record in place.  No new SMTP handshakes will take
place that see the old certificate chain, and so none will need to see
the associated (now stale) TLSA "3 1 1" records.

Emergencies aside however, waiting some time (just in case), is fine.

-- 
    Viktor.



More information about the dns-operations mailing list