[Yeti DNS Discuss] A public Yeti DNS resolver (but with TLS)

Shane Kerr shane at biigroup.cn
Thu Jan 5 10:44:05 UTC 2017


Stephane,

At 2017-01-05 10:47:30 +0100
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Thu, Jan 05, 2017 at 09:32:04AM +1100,
>  Geoff Huston <gih at apnic.net> wrote 
>  a message of 30 lines which said:
> 
> > You should be aware that certbot renew will generate a new private
> > key when it renew your certificate.
> > 
> > If you are using DANE this has some implications about the TLSA
> > record and you will need some local scripting to essentially perform
> > a key roll.  
> 
> Or if you are using key pinning (which is the only authentication
> currently documented in a RFC for DNS-over-TLS) :-(
> 
> The more I use Let's Encrypt, the more I regret CAcert. I don't find
> an option in certbot to keep my keys.

According to the FAQ it is possible:

https://certbot.eff.org/faq/#can-i-use-an-existing-private-key-or-certificate-signing-request-csr-with-certbot

But it doesn't document how to do that in the FAQ. :(

It looks like this might be the option:

  --key-path KEY_PATH   Path to private key for cert installation or
                        revocation (if account key is missing) (default: None)

But I haven't tried it.

Cheers,

--
Shane




More information about the discuss mailing list