On Mon, Apr 12, 2021 at 01:54:23AM +0000, Salz, Rich wrote: > > You publish TLSA RRs for the new one and after the switch you delete the > ones for the old one. You can have more than one TLSA RR in a TLSA > RRset. > > Thanks for the explanation. I don't know enough DNSSEC to know if > that's actually deployable, but okay You can tune down TTLs before the change, etc. Perhaps there is room for a certificate extension that says "invalidate cached TLSA RRs cached before this $timestamp" (the timestamp might even be the certificate's notBefore). Then there would be no need to tune down TTLs. Nico --
