On Sat, 2024-06-29 at 10:31 +1000, Viktor Dukhovni via mailop wrote: > > Reading your first post brought to mind the recent report of potential > issues at Microsoft's outbound servers with "too many" TLSA records > (more than ~12). I was looking at your TLSA RRset (14 TLSA records):
I've been busy elsewhere and I guess I missed out on that. There was a post here (Tony?) sometime back about about updating TLSA records used with Let's Encrypt and I tried to future-proof by adding both the RSA and ECDSA records. [snip] > > That said, do you really need all 14 records? > > R3 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d > R4 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 > -- > E1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 > E2 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 > -- > R10 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba > R11 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 > R12 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4 > R13 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d > R14 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 > --- > E5 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8 > E6 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7 > E7 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 > E8 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5 > E9 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2 > > The MX host in question has RSA-only certs, and the "E*" TLSA records > are redundant. If you force cert renewal, you'll be switched from R3 > to one of R10/R11, and can then drop the R3/R4 records too. > > If that helps, someone with the right contacts to escalate this, should > try to get through to Microsoft to fix what is I think a serious enough > interoperability problem. > Thank you for the detailed breakdown of the problem and resolution. I have removed the E* TLSA records and mails from Microsoft are flowing in. I'll make a note to remove the R3/R4 records next week and then plan for adding the E* TLSA records back in and switching to ECDSA in the near future. Thanks again Viktor, you've been an awesome help. -Jim P. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
