Dňa 26. 6. o 23:28 Fehlauer, Norbert via mailop napísal(a):
But when using only 3 1 1 dane records I can only publish the new certificate as soon as it is signed. And going to delete the old record a few days later.
Not really, the "x 1 x" is about cert's public key, not certificate itself, thus one can generate TLSA eg. from signing request (i never tried this).
It can change (so I would have to check at least each time getting a new certificate for the MTA), but not as long as the actual certificate is valid (at least to my understanding). Using self signed certificates would make it impossible to use DANE and MTA-STS at the same host I guess, right?
The problem is, that CA certs can change in any time and you need to be the same for whole rollover time, not just in time of new cert's deployment.
Btw. is 2 1 1 or 2 0 1 to prefer if it would be used?
It is really simple: one have to prefer "x 1 x" in most cases, unless you know why you need "x 0 x" ;-)
-- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
