On Fri, Feb 20, 2026 at 04:46:45PM +0100, Benoît Panizzon wrote:
> Complete oversight of my part. As a 'technophile' I try out stuff, and
> in the case of DANE, yes, it's a good idea, but it became too
> cumbersome to maintain when I switched the affected domains to let's
> encrypt. I just scripted to restart the services affected when the cert
> changes but completely neglected DANE.
When you combine DANE with Let's Encrypt the sensible thing to do is to
configure your ACME client to NOT automatically rotate the key on every
renewal. This isn't actually difficult, bad sadly not as widely known
as one might hope.
- DANE-friendly ACME:
* https://github.com/raforg/danectl
* https://github.com/tlsaware/danebot
- Monitoring software
* https://github.com/sys4/smtp-dane-verify
*
https://list.sys4.de/hyperkitty/list/[email protected]/message/6723WDBLPYWSXAORTAJR7EPAIOFAP5N4/
- Best practice "3 1 1" rollover methodology:
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
- Realtime check of current DANE SMTP authentication:
https://www.huque.com/bin/danecheck-smtp
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
