Hi,
The Graphviz project is using GitLab Pages to host their website graphviz.org, and although I don’t speak for them, I am researching this matter for them. It would be really nice if we could enable DANE without having to update the TLSA record all of the time. Since GitLab handles the certificate generation, this is kind of out of our hands. It would be really nice if GitLab would always use the same public-private keypair when renewing TLS certificates so that way, we could include a hash of the public key in our TLSA record and not have to update the record when certificates get renewed.
If this is not attainable right now, I don’t see how any GitLab Pages site is practically supposed to use DANE. Is there some way we could get a notification when the certificate is changed? In any case, please consider this a proper request for such a feature, a feature to keep the public key consistent with TLS certificate renewals.