Gerd Hoerst via Postfix-users <postfix-users@postfix.org> wrote: > I checked my cert and it related to R10 , but i will also publish the rest > regarding you advice....
I do recommend investigating '3 1 1' records, instead. "Hence, my best advice is to not play Let's Encrypt whack-a-mole, and use "3 1 1" records with stable keys (not automatically replaced with every renewal)." [see Viktors link: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html] <http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html%5D> And have a look at a thread in this ML starting with https://www.mail-archive.com/postfix-users@postfix.org/msg92488.html I have followed that advice and publish one RSA and ECC record for both of my mail servers, each. I am using LE certificates with a stable private key that I revoke once in a while. (This is not one of Viktor's recommendations: I publish a '3 1 1' record derived from a self-signed certificate in addition, mainly for manually interventions in potential LE disaster recovery purposes.) Regards, Michael _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
