DANE rollover scheme?

[jult]

Great tool! Happy user. Would be even greater if you'd add a rollover-scheme to the cloudflare.

Such a scheme will be proven useful when there is a need to update your mail server certificate(s). It can prevent that DANE becomes invalid during the transition period which could endanger mail deliverability at your domain. A rollover scheme could but does not need to be 'active' all the time.

We recommend you to apply one of the following two schemes with double DANE TLSA records:

1 - Current + Next ("3 1 1" + "3 1 1"): Publish two "DANE-EE(3) SPKI(1) SHA2-256(1)" records, one for the current and one for the next TLS certificate of your mail server.
2 - Current + Issuer CA ("3 1 1" + "2 1 1"): Publish a "DANE-EE(3) SPKI(1) SHA2-256(1)" record for the current TLS certificate of your mail server, and also a "DANE-TA(2) SPKI(1) SHA2-256(1)" record for the current root or intermediate certificate of the (not necessarily public) certificate authority

I think you could pull it off using option 2, using current root or intermediate certs. If I find the time I will look at the script and add this.. shouldn't be too hard.

[Giga-Pudding]

I agree, great tool! And i also vote for rollover-support.

Or maybe pause the script, until the TTL of the previous TLSA record is expired, then delete the previous TLSA record (in case the TTL is just a few minutes).

[jult]

For that to work you need a way to see what the old expiring records are and then delete them indeed, as they expire? Cloudflare doesn't just replace them, it adds new ones. What a silly invention, this DANE TLSA thing, it's horribly designed. Just think of the issues arising from people wanting to simply update their TLSA records. https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md#tips--tricks-and-notices-for-implementation