[Yeti DNS Discuss] A public Yeti DNS resolver (but with TLS)

Geoff Huston gih at apnic.net
Wed Jan 4 22:32:04 UTC 2017


> On 30 Dec 2016, at 5:11 am, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> 
> On Tue, Dec 27, 2016 at 07:53:49PM +0000,
> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
> a message of 18 lines which said:
> 
>> it has a nice Let's Encrypt certificate. (I've set up a Nginx HTTP
>> server at <https://dns-resolver.yeti.eu.org/>, ran "sudo certbot
>> certonly --webroot -w /usr/share/nginx/html -d
>> dns-resolver.yeti.eu.org"
> 
> Any certbot expert here? I configured cron to run "certbot renew" every
> day:
> 
> 13 4 * *  *  certbot renew
> 
> 

You should be aware that certbot renew will generate a new private key when it
renew your certificate.

If you are using DANE this has some implications about the TLSA record and
you will need some local scripting to essentially perform a key roll.

Geoff



More information about the discuss mailing list