SYSTEM INFORMATION | |
---|---|
OS type and version | Almalinux 9.3 |
Webmin version | 2.111 |
Virtualmin version | 7.10.0 |
I am trying to figure out how to make DANE work properly.
I enabled DNSSEC and DANE (TLSA) records for my domain and added it to my registrar.
it works.
DANE TLSA, when issuing a new certificate, comes up as invalid on various testing sites.
When restarting BIND, the values tend to validate after a short while. I dont know if this is a propagation issue or BIND needs to be restarted for the new TLSA values.
Other issue:
for every letsencrypt cert request it generates new 301 type records, and the old ones become invalid.
if I test my domain on internet.nl I get a message saying that I dont have a DANE rollover scheme in place.
There are some sites that explain records with 311 and 211 records which have the new key as well and that 301 is wrong for letsencrypt? I really dont have the knowledge or understanding.
See for example:
But I also read that letsencrypt has this:
–reuse-key When renewing, use the same private key as the
existing certificate. (default: False)
maybe would help?