[pfx] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

Thu, 23 Nov 2023 04:25:54 -0800 

On 19/11/2023 06:24, Viktor Dukhovni via Postfix-users wrote:
On Sat, Nov 18, 2023 at 04:33:46PM +0900, Byung-Hee HWANG via Postfix-users wrote: 


or if you prefer:

     _25._tcp.mx1.org.example. IN CNAME _25._tlsa.org.example.
     _25._tcp.mx2.org.example. IN CNAME _25._tlsa.org.example.
     ...
     _25._tcp.mxN.org.example. IN CNAME _25._tlsa.org.example.
     ;

     _25._tlsa.org.example. IN TLSA 2 1 1 
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; R3
     _25._tlsa.org.example. IN TLSA 2 1 1 
e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; R4
     _25._tlsa.org.example. IN TLSA 2 1 1 
276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; E1
     _25._tlsa.org.example. IN TLSA 2 1 1 
bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; E2

Thank you for the clear summary. I did update all again.


Good job, you're set until some future change a few years down the line.

     _25._tcp.yw-0919.doraji.xyz. IN CNAME rfc7671.doraji.xyz.
     _25._tcp.yw-1204.doraji.xyz. IN CNAME rfc7671.doraji.xyz.

     rfc7671.doraji.xyz. IN TLSA 2 1 1 
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
     rfc7671.doraji.xyz. IN TLSA 2 1 1 
e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
     rfc7671.doraji.xyz. IN TLSA 2 1 1 
276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
     rfc7671.doraji.xyz. IN TLSA 2 1 1 
bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270


It may be prudent to mark your calendar to check the Let's Encrypt
certificate page once or twice a year, and make appropriate changes if
new intermediate issuer CAs are introduced, or extant ones retired.

     https://letsencrypt.org/certificates/


Can I check I have not missed something here.



When I use Viktor's changen.sh  I get a TLSA 3 1 1  which matches the 
TLSA 2 1 1 above.



;; subject=C = US, O = Let's Encrypt, CN = R3

;; issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
;; notBefore=Sep  4 00:00:00 2020 GMT
;; notAfter=Sep 15 16:00:00 2025 GMT
;;

_25._tcp.mx.org.example. IN TLSA 3 1 1 
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d



And I get a TLSA 2 1 1 which is not listed:


;; subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
;; issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
;; notBefore=Jan 20 19:14:03 2021 GMT
;; notAfter=Sep 30 18:14:03 2024 GMT
;;

_25._tcp.mx.org.example. IN TLSA 2 1 1 
0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3



_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org























					Reply via email to