> On Apr 12, 2018, at 11:21 PM, Philip Paeps <phi...@trouble.is> wrote:
> As pointed out, you don't need to restart (and usually don't even need to
> reload) Postfix for the new keys and certificates to take effect.
> However: do keep in mind that if you're using DANE and you're replacing the
> keys, you need to allow enough time for the keys to roll over in the DNS.
> Unless you have a real need to change replace the keys (e.g. compromise,
> policy), it may be easier to simply reissue the certificate without
> generating new keys. In that case, you can use "3 1 1" TLSA records in the
> DNS and you don't need to roll them when you're simply reissuing your
For mistakes to avoid and the latest best practice key rotation approaches for
The original timing considerations are described in:
but the ideas in the ICANN61 slides incorporate more recent insights.