Enhancement #461
open
Prepare TLSA rollover tools
Added by Marc Dequènes almost 9 years ago.
Updated over 4 years ago.
Description
Currently tools are able to publish TLSA, but this does not allow rollovers.
We need to upgrade the process/script to publish the new records while keeping the previous records a certain time. Which means we need to memoize when it was published, and have some automated way of removing the old one.
In this process we need to pre-publish, which means install the new certificate later. So we need to act in advance before the previous one expire.
Related issues
1 (1 open — 0 closed)
- Priority changed from High to Normal
TLSA was getting integrated into Chrome, and plugins were developed but all these initiatives seem to have stopped, see:
So maybe some hope in the MOSS project for Firefox, but not for today.
I'm then lowering the priority of this BR.
- Related to Enhancement #675: Publish DANE/TLSA records for Let's Encrypt generated certs added
- Priority changed from Normal to Low
We had some DuckCorp-CA generated TLSA RRs of 1 hour TTL in the past and it did not cause any problem. We currently rely on a very small 5 min TTL for TLSA RRs generated from LE so it should even reduce potential problems.
I'm keeping this BR around for future improvement when the tooling is more developed but lowering the priority.
There is an interesting discussion in this LE ticket.
If this goes to fruition then our custom script would not be needed, CNAME resolution would be automatic (as seen in #676), and a proper rollover would be done.
Also available in: Atom
PDF
Updated by