Hellow Viktor, Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> writes:
> On Wed, Nov 15, 2023 at 04:53:17PM +0100, Geert Hendrickx via Postfix-users > wrote: > >> On Wed, Nov 15, 2023 at 10:29:41 -0500, James Cloos via Postfix-users wrote: >> > LE announced a while back that they would not renew the cross cert. >> >> Yes, but dropping the cross-signed X1 root cert from the default chain >> last week was an accident: >> https://community.letsencrypt.org/t/shortening-the-lets-encrypt-chain-of-trust/201580/2 >> >> They plan to stop providing the cross-signed "long chain" by default >> in February 2024, and completely in June, as the cross-sign expires >> in September. Dropping it last week was unintended. > > Many thanks for that reference. The ensuing conversation on the LE > forum uncovered a second potential future incompatibility to plan for: > > > https://community.letsencrypt.org/t/short-chain-and-dane/208422/8?u=ietf-dane > > Let's Encrypt are apparently also planning to *randomise* the choice of > intermediate issuer CA used with each renewal. Instead of consistently > using say "R3", they'll randomly choose one of R3/R4/E1/E2. > > Therefore, anyone who publishes TLSA records for just one of the 4 > issuers, will eventually also be "disappointed". > > If you're using Let's Encrypt as your CA and prefer to publish > DANE-TA(2), rather than DANE-EE(3) TLSA records, please look over: > > <http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html> > > carefully, and publish all four of the **required** TLSA records, for > each MX host: > > _25._tcp.mx1.org.example. IN TLSA 2 1 1 > 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; R3 > _25._tcp.mx1.org.example. IN TLSA 2 1 1 > e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; R4 > _25._tcp.mx1.org.example. IN TLSA 2 1 1 > 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; E1 > _25._tcp.mx1.org.example. IN TLSA 2 1 1 > bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; E2 > ... > > or if you prefer: > > _25._tcp.mx1.org.example. IN CNAME _25._tlsa.org.example. > _25._tcp.mx2.org.example. IN CNAME _25._tlsa.org.example. > ... > _25._tcp.mxN.org.example. IN CNAME _25._tlsa.org.example. > ; > _25._tlsa.org.example. IN TLSA 2 1 1 > 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; R3 > _25._tlsa.org.example. IN TLSA 2 1 1 > e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; R4 > _25._tlsa.org.example. IN TLSA 2 1 1 > 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; E1 > _25._tlsa.org.example. IN TLSA 2 1 1 > bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; E2 Thank you for the clear summary. I did update all again. Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))// _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
