> On Apr 12, 2018, at 11:21 PM, Philip Paeps <phi...@trouble.is> wrote:
> As pointed out, you don't need to restart (and usually don't even need to 
> reload) Postfix for the new keys and certificates to take effect.
> However: do keep in mind that if you're using DANE and you're replacing the 
> keys, you need to allow enough time for the keys to roll over in the DNS.
> Unless you have a real need to change replace the keys (e.g. compromise, 
> policy), it may be easier to simply reissue the certificate without 
> generating new keys.  In that case, you can use "3 1 1" TLSA records in the 
> DNS and you don't need to roll them when you're simply reissuing your 
> certificates.

For mistakes to avoid and the latest best practice key rotation approaches for 
DANE see:


The original timing considerations are described in:


but the ideas in the ICANN61 slides incorporate more recent insights.


Reply via email to