Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE

Mon, 10 Jun 2024 05:11:00 -0700 

On Mon, Jun 10, 2024 at 12:06:26PM +0200, Kirill Miazine via mailop wrote:

> Although there are better alternatives to 2 1 1 with Let's Encrypt, some
> still use 2 1 1, and it seems Exchange Online is not happy when there are 14
> TLSA records (why 14? because https://letsencrypt.org/certificates/)... A
> good reason to not use 2 1 1....

The below includes four of the TLSA records twice, which is indeed
invalid:

    e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
    bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
    8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
    276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10

Each RR should appear exactly once in an RRset.  Perhaps that's the
problem and not the record count?  Do you still have the below published
in live DNS?

>  ; TLSA - LE certs published at https://letsencrypt.org/certificates/
> -_le-tlsa       TLSA    2 1 1
> 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; LE E1
> -               TLSA    2 1 1
> bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; LE E2
> -               TLSA    2 1 1
> 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; LE R3
> -               TLSA    2 1 1
> e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; LE R4
> +_le-tlsa       TLSA    2 1 1
> 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8 ; LE
> +               TLSA    2 1 1
> d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
> +               TLSA    2 1 1
> 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba
> +               TLSA    2 1 1
> 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7
> +               TLSA    2 1 1
> cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
> +               TLSA    2 1 1
> 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5
> +               TLSA    2 1 1
> f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2
> +               TLSA    2 1 1
> 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
> +               TLSA    2 1 1
> 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d
> +               TLSA    2 1 1
> f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888
> +               TLSA    2 1 1
> 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
> +               TLSA    2 1 1
> 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
> +               TLSA    2 1 1
> e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
> +               TLSA    2 1 1
> bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270

-- 
    Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to