Closed mxsasha closed 5 months ago
mxsasha
commented
5 months ago This now also includes dropping the IPv6 subdomains from the certbot request on batch, consistent with this new documentation. The always present subdomains are now www/nl/en, with more in the single test instance.
baknu
commented
5 months ago Maybe also add TLSA + CNAME's?
Yes, we could do so. We could add the TLSA/DANE values for Lets Encrypt (that we also have in our own DNS zone), but someone could of course choose to use a certificate from a different certificate provider. Furthermore, we could also add CAA.
mxsasha
commented
5 months ago Maybe also add TLSA + CNAME's?
Yes, we could do so. We could add the TLSA/DANE values for Lets Encrypt (that we also have in our own DNS zone), but someone could of course choose to use a certificate from a different certificate provider. Furthermore, we could also add CAA.
I do not think our documentation should include specific TLSA values, but only suggest it, like this PR does for CAA now. Otherwise we're just duplicating and it risks getting outdated.
mxsasha
commented
5 months ago @bwbroersma @baknu I think the current version of Docker-DNS.md is good - can you check? If it is, then I will update certbot.sh in this PR, and we can update our own zone to match this doc.
Maybe also add TLSA + CNAME's?