On 02/19/2017 08:39 PM, Michael A. Peters wrote:
Every time I change the private key -
A) I have to make a TLSA record for the new key
You're actually expected to pin the CA in your TLSA record, not your own key.
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r...
http://www.internetsociety.org/deploy360/blog/2016/01/lets-encrypt-certifica...
https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certific...
I had the privilege of being auto-yelled at by Viktor Dukhovni over forgetting to adjust my TLSA after changing certificates for SMTP. I would however prefer to automate the process of pushing new TLSA records, waiting out twice the TTL and then pushing the certificate. Going through this every time would ensure I have valid records every time, without having to worry about the CA key changing. This is on my to-do list, for SMTP, XMPP, IMAP etc.