DANE Rollover scheme

I am trying to figure out how to make DANE work properly.

I enabled DNSSEC and DANE (TLSA) records for my domain and added it to my registrar.

it works.

DANE TLSA, when issuing a new certificate, comes up as invalid on various testing sites.

When restarting BIND, the values tend to validate after a short while. I dont know if this is a propagation issue or BIND needs to be restarted for the new TLSA values.

Other issue:

for every letsencrypt cert request it generates new 301 type records, and the old ones become invalid.

if I test my domain on internet.nl I get a message saying that I dont have a DANE rollover scheme in place.

There are some sites that explain records with 311 and 211 records which have the new key as well and that 301 is wrong for letsencrypt? I really dont have the knowledge or understanding.

See for example:

Please avoid “3 0 1” and “3 0 2” DANE TLSA records with LE certificates - Server - Let’s Encrypt Community Support (letsencrypt.org)

But I also read that letsencrypt has this:

–reuse-key When renewing, use the same private key as the
existing certificate. (default: False)

maybe would help?

To resolve your DANE and DNSSEC issues, consider using the --reuse-key option with Let’s Encrypt to keep the same private key during renewals, which helps maintain valid TLSA records. Also, switch from “3 0 1” TLSA records to a configuration that reuses keys, as recommended for Let’s Encrypt. This approach should reduce TLSA record changes and improve validation results.
Also Check this : learnmore-community.cloudflare.com/t/support-for-tlsa-dane-proto/9881?page=2

I don’t know where to edit the letsencrypt command, nor do I know if thats a good idea.

I was hoping that in future updates it is implemented with a rollover scheme.

if you change the TLSA records, they are overwritten at cert request currently.