[Yeti DNS Discuss] A public Yeti DNS resolver (but with TLS)

Shane Kerr shane at biigroup.cn
Thu Jan 5 10:44:05 UTC 2017


At 2017-01-05 10:47:30 +0100
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Thu, Jan 05, 2017 at 09:32:04AM +1100,
>  Geoff Huston <gih at apnic.net> wrote 
>  a message of 30 lines which said:
> > You should be aware that certbot renew will generate a new private
> > key when it renew your certificate.
> > 
> > If you are using DANE this has some implications about the TLSA
> > record and you will need some local scripting to essentially perform
> > a key roll.  
> Or if you are using key pinning (which is the only authentication
> currently documented in a RFC for DNS-over-TLS) :-(
> The more I use Let's Encrypt, the more I regret CAcert. I don't find
> an option in certbot to keep my keys.

According to the FAQ it is possible:


But it doesn't document how to do that in the FAQ. :(

It looks like this might be the option:

  --key-path KEY_PATH   Path to private key for cert installation or
                        revocation (if account key is missing) (default: None)

But I haven't tried it.



More information about the discuss mailing list