On Mon, Jun 10, 2024 at 10:06:26PM +1000, Viktor Dukhovni via mailop wrote:
> > Although there are better alternatives to 2 1 1 with Let's Encrypt, some > > still use 2 1 1, and it seems Exchange Online is not happy when there are 14 > > TLSA records (why 14? because https://letsencrypt.org/certificates/)... A > > good reason to not use 2 1 1.... > > The below includes four of the TLSA records twice, which is indeed > invalid: > > e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 > bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 > 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d > 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 > > Each RR should appear exactly once in an RRset. Perhaps that's the > problem and not the record count? Do you still have the below published > in live DNS? See https://datatracker.ietf.org/doc/html/rfc4034#section-6.3 Did your zone signing software accept the duplicates? What are using as your signing software? -- Viktor. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
