Project

General

Profile

Actions

Enhancement #461

open

Prepare TLSA rollover tools

Added by Marc Dequènes over 9 years ago. Updated about 5 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
Service :: DNS
Start date:
2015-07-12
Due date:
% Done:

0%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:

Description

Currently tools are able to publish TLSA, but this does not allow rollovers.

We need to upgrade the process/script to publish the new records while keeping the previous records a certain time. Which means we need to memoize when it was published, and have some automated way of removing the old one.

In this process we need to pre-publish, which means install the new certificate later. So we need to act in advance before the previous one expire.


Related issues 1 (1 open0 closed)

Related to DuckCorp Infrastructure - Enhancement #675: Publish DANE/TLSA records for Let's Encrypt generated certsIn ProgressMarc Dequènes2019-09-20

Actions
Actions #1

Updated by Marc Dequènes over 7 years ago

  • Priority changed from High to Normal
TLSA was getting integrated into Chrome, and plugins were developed but all these initiatives seem to have stopped, see:

So maybe some hope in the MOSS project for Firefox, but not for today.

I'm then lowering the priority of this BR.

Actions #2

Updated by Marc Dequènes over 5 years ago

  • Related to Enhancement #675: Publish DANE/TLSA records for Let's Encrypt generated certs added
Actions #4

Updated by Marc Dequènes about 5 years ago

  • Priority changed from Normal to Low

We had some DuckCorp-CA generated TLSA RRs of 1 hour TTL in the past and it did not cause any problem. We currently rely on a very small 5 min TTL for TLSA RRs generated from LE so it should even reduce potential problems.

I'm keeping this BR around for future improvement when the tooling is more developed but lowering the priority.

Actions #5

Updated by Marc Dequènes about 5 years ago

There is an interesting discussion in this LE ticket.
If this goes to fruition then our custom script would not be needed, CNAME resolution would be automatic (as seen in #676), and a proper rollover would be done.

Actions

Also available in: Atom PDF