# OVH DANE Companion > Untested code ahead! This was done in a rush and isn't tested! It *should* work, > but I wouldn't be surprised if it breaks sometimes. ## Aim I wanted to implement in a matter of a few days worth of free time a companion container for my Let's Encrypt container. My certificates are generated by a Docker container, and I wanted to deploy TLSA records automatically. DANE and TLSA records are used to avoid TLS downgrade attacks, such as during a MITM attacks. I also wanted to have a 100% score on internet.nl for my email server security, and I got [it](https://internet.nl/mail/louis-vallat.xyz/671317/). ## Rollover scheme There **isn't** any. I could add a "2 1 1" record using Let's Encrypt's root certificates, but then I could just use permanently a "2 1 1" record and the "3 1 1" record would be useless. As I used an external container to renew the certificates, I cannot modify the renewal procedure, so I can't use the "current + next" rollover scheme. In compensation, I set the TLSA TLLs as the lowest my DNS provider allows: 60 seconds. In case of a key rollover, the TLSA records will be wrong for **at most** 2 minutes (2 TTLs just to make sure), as long as some entity on the way doesn't keep the record longer than the TTL specified (that can happen with lazy ISPs). TLSA records being borked for 2 minutes once every few months shouldn't be an issue. Although this is not new, maybe a bit young (from 2012), this technology isn't widely spread. ## References and links - Article from Abyss Project: [link](https://www.abyssproject.net/2016/09/creer-utiliser-enregistrements-tlsa-dane/) - Internet technologies tester: [link](https://internet.nl/) - SMTP Protection HowTo: [link](https://github.com/internetstandards/toolbox-wiki) - OVH API: [link](https://eu.api.ovh.com/)