[https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r...] Thanks, Sylvain and Bjørn! -- Von meinem Android-Gerät gesendet. -----Original Message----- From: Carsten Schiefner <carsten@schiefner.de> To: "Bjørn Mork" <bjorn@mork.no> Cc: ripe-atlas@ripe.net Sent: Di., 03 Sep. 2019 14:34 Subject: Re: [atlas] SSL Certificates for ripe anchors Hi Bjørn,
Am 03.09.2019 um 13:35 schrieb Bjørn Mork <bjorn@mork.no>:
The tricky bit, however, comes if you want to use this very certificate in a TLSA RR as well: all of a sudden the RR points to a non-existing certificate when Letsencrypt's cron job has flipped the certificate.
[...]
You can renew Let's Encrypt certificates without changing the key. And if you use the recommended 3 1 1 TLSA records, then you don't have to change it unless the key is changed.
ah! :-) Would you have a specific pointer in mind you’d recommend and so like to share? Thanks & best, -C.