Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen gezeigt.

@@ Zeile 1: / Zeile 1: @@
+====== DANE records with Let's Encrypt ======
+===== Problem =====
+TLSA records announce what certificate is expected from an endpoint. Since the cert changes often, that can be tricky. One method re-uses the certificate key material so it doesn't change, but that's not very nice. We //want// to rotate the keys.
+===== Setup =====
+Instead of pinning the cert itself, use DANE-TA(2) to pin the currently active intermediate.
+==== Compute the Intermediate TLSA RR ====
+Find and download the currently used intermediate from LE's published [[https://letsencrypt.org/certificates/|Chain of Trust]]. Then compute its hash:
+<file bash>
+openssl x509 -in lets-encrypt-x3-cross-signed.pem -noout -pubkey |
+  openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex |
+  awk '{print "le-ca TLSA 2 1 1", $NF}'
+</file>
+Next, publish that somewhere such as at the SOA level. Don't forget to put a comment on there and set a calendar reminder to check for the new one in time.
+<file>
+; Let's Encrypt R3 intermediate, expires: 15. September 2025 16:00:00 GMT
+le-r3._dane     3600    IN      TLSA    2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
+</file>
+Finally, point all service records there:
+<file>
+_25._tcp.mx1.sys        IN      CNAME   le-r3._dane.example.com.
+</file>

MP-Wiki