[pfx] Reminder to drop TLSA RRs matching retired Let's Encrypt issuer CAs

Viktor Dukhovni via Postfix-users Thu, 20 Nov 2025 19:52:36 -0800

On Sun, Aug 24, 2025 at 03:57:26AM +1000, Viktor Dukhovni wrote:

> It appears that starting a couple of days ago, newly issued/renewed
> Let's Encrypt (LE) certificates will be signed by R12, R13, E7 and E8,
> rather than the previously active R10, R11, E5 and E6.  See the
> announcement at:
> 
>     
> https://community.letsencrypt.org/t/switching-issuance-to-new-intermediates/240073
> 
> and the associated advice on the DANE survey site:
> 
>     https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html


By this time all certificates issued by R10, R11, E5, E6 and all
previously retired CAs have expired, and publishing TLSA records
matching such CAs no longer makes sense (is such unnecessary bloat in
your DNS data and an security exposure should their keys be
compromised).

Therefore, all the below DANE-TA(2) TLSA records should be dropped from
all TLSA RRsets (some Cert(0) selectors appear multiple for the same CA
because there are multiple versions of that intermediate CA's
certificate with different issuers, ...).

  - R11:
    2 1 2 
8854317b0a187b35956b5fd361f6101c86be4741107be8847ef4e3f48abf53200f65414c281fbdf08218ff14d15d6d1c5f2e9a1f09d7ce39d0ecf6adb654ea4a
    2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7
    2 0 2 
429fdae7d17a336879b0e6316ae6a5341ae5abb7ec7f7ed7eaad807228e346e7942378ef8cdd50cdd3b84670b0af274763d6e90d58eb3a483fb52d97f204b6da
    2 0 1 591e9ce6c863d3a079e9fabe1478c7339a26b21269dde795211361024ae31a44

  - R10:
    2 1 2 
86fb010ee652f162e22ba2ba48e45d3a19ee557ab8d2601aabd62c993a81417467bf9a8c50ba03f2315dfbb028478b22923bd87e3bbeeb02fc1f69104782eea4
    2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba
    2 0 2 
c5d1dd8b4ee8a17a351bb0fa40cc020e9b3364c59d9006badecc61bd5ca0c2b9729eab50da166633e4b0360ab914c42aa74cca861640e0abe5514430bb0daeaa
    2 0 1 9d7c3f1aa6ad2b2ec0d5cf1e246f8d9ae6cbc9fd0755ad37bb974b1f2fb603f3

  - E6:
    2 1 2 
f8a2b4e23e82a4494e9998fcc4242bef1277656a118beede55ddfadcb82e20c5dc036dcb3b6c48d2ce04e362a9f477c82ad5a557b06b6f33b45ca6662b37c1c9
    2 1 1 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
    2 0 2 
afab698cbbbf892ebb555e09175056c1d4630fe7c350f44dcc6e71843d3b290df00d30ab4e356b630c69169d7633788338922fb637cf5b9f7be20a413eeaa518
    2 0 2 
3a2375d29a3e66a3dd3c758cb9c056e8f5e66cf7bb49f6ac0760d27c2b41546ab757990194fc09853110978381e1feb5da22abc8037887a3a7c8a02c471c7c08
    2 0 1 76e9e288aafc0e37f4390cbf946aad997d5c1c901b3ce513d3d8fadbabe2ab85
    2 0 1 065ab7d2a050f947587121765d8d070c0e1330d5798faa42c2072749ed293762

  - E5:
    2 1 2 
a1ef14fea3ca15a552d42665d2fe685672cfdd903de4b370b0d7d87c6d31b5df07142483f36e0e15e16b58f9ba1cbdeeebd4bcb8d74ab7ea32a087db2105f402
    2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8
    2 0 2 
4e32b7ee52c9bd2a15b2df3cae5e3b060d737d71faaaac25336c5f193cbdb52ed2fdf38b29aea9fb97f59c8f86e75b5c364309a232623a99e638116ed66063fd
    2 0 2 
4f104e5ec57f442f66e2fdab6147e63a153c2f558d8b73c398898c56b44d88792061b33cee2d8c2d10f456fc1a7382b1b3fd827293f7ebfb7bf51ef38ba356ba
    2 0 1 5dfdb3cf31b26f23d87c09f3a0cef642f64069a9fb7cfe29270bb5dc0f1e16bb
    2 0 1 e788d14b0436b5120bbee3f15c15badf08c1407fe72568a4f16f9151c380e1e3

  - E2:
    2 0 2 
e8ec8405ab45605ae6e4a54efd6d626f663cb7e61a10d9a6a6a08b118e0d35763d0118e263a6db64516ca9f4e7f64fcd2b5dbf9e7a7ba265870606af26f4d855
    2 0 1 bacde0463053ce1d62f8be74370bbae79d4fcaf19fc07643aef195e6a59bd578
    2 1 2 
23a30bd3b617652e97224e1faf673c4e09f1c197e4994274e676f2490893e9560d99f00a8859e399b2c65219ce2eb9b76784a0ec775ab4973a14fc1437ac7d9f
    2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270

  - E1:
    2 0 2 
0fc8bdb5b93d95bb016bb543bd74b859e4c18930964d59cfc305b93ef3212c0c20f3084ba98fbf7aac55d0d22c5b35566ed75bebe6d5a7c53ca1f949c45c3c8e
    2 0 1 46494e30379059df18be52124305e606fc59070e5b21076ce113954b60517cda
    2 1 2 
3561540fbf182bce7749acc131b421e691f083569c053e78f20274714c5e801226ff6edb60641ddf70e71bd3a90dfe25ddd6464be78106b77dece4f6a3bff13d
    2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10

  - R4:
    2 0 2 
0f0b4dd77ee99d8ed5724da618b56017d08b757884796d087bf656e62d2717b5c913cb1e2eda07aacbfdbfdcb1ba5ba52114d54c000e05b0cb755256a61c0c37
    2 0 1 1a07529a8b3f01d231dfad2abdf71899200bb65cd7e03c59fa82272533355b74
    2 1 2 
59a91d97d81980951d0ef3c6d849b31606af9ab2b0f7dcfac93a53ae3263eb8902c3b7c564f33ff496f2d07c750b1b6924968c243882af9e3532797eef596f27
    2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03

  - R3:
    2 0 2 
96c5793b2b57d8df5891c94015720960e0da4c2cf8ce1fc5707a0b46e5db8ce3761fb5fdb430f619d1579f13e80fbdd973ef6a024129ed039aa193273158fcad
    2 0 1 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
    2 1 2 
0f644c9a1dcb8c04be6b385a60dbe4fdf7e2b81e335c9ad8c7cd0abe2ff9e7e5bbfbb68b38dd0216f17808f48bdf6af8c6347659c1f41a9858032c31f436d12c
    2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d

  - X4:
    2 0 2 
964468a5c685f305aa5865c049d814770b844df2cf7645f9a4afaf42957e334bcf1f290babaafe020c4e9a68c5689d570e37f11114ffd676c95b17b3d768b932
    2 0 2 
74ddad9f8cdfa0fe6f6b70301b557a63a58b87fc2c17fae0f65e47d141226c062a74fa14861dc47a720bd8699b99091a06bd695cdde51222f837b9decfc270c5
    2 0 1 a74b0c32b65b95fe2c4f8f098947a68b695033bed0b51dd8b984ecae89571bb6
    2 0 1 5de9152bed31fa0515dd1fc746133f1327562ef72a84cf2d2403e748a604d0d4
    2 1 2 
a0f5d1333bc90bcea0b0b5f401160b6e7f28a1256bc5b5d65f04b06b0bb0c96270aa81d8e2726394d385bf3e9ee46eb4ab7548c782d5688cc16d0cdffefb8594
    2 1 1 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b

  - X3:
    2 0 2 
2e1e12dacb350e69317a7f37d769f46f16f437cf8d392319279c93515e5600baed3d3acd5dc83b673e8c60cf7fba0dce00a4d162a3b966a3ebf72487c376fca0
    2 0 2 
5ec5b0783c6e667e0965df772943a06326768de0f75dc0bd2fe378f02ccca7d56c987656174cbe158cc29ecd763f8bda3454332cc7d47fb934691409c5fb8686
    2 0 1 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
    2 0 1 731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568
    2 1 2 
774fad8c9a6afc2bdb44faba8390d213ae592fb0d56c5dfab152284e334d7cd6abd05799236e7aa6266edf81907c60404c57ee54c10a3a82fcc2a9146629b140
    2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18

  - X2:
    2 0 2 
0a46b8055caa27634ac8992ba5574e82aa6f9bd8079ced18ed561ba9062801281c26c06cf849f228d5dbc0d22e7487396723fc083f729ed40d25c519397623b3
    2 0 2 
070c005525584cb4ffc8ea0e6017f7cb27c995041701f60cb224293e6d398ca126ae11634e5bcc4103e28cf6c01d3bdd1fa2022b4cd9637ea69ab230f7605a37
    2 0 1 ec0c6ca496a67a13342fec5221f68d4b3e53b1bc22f6e4bccc9c68f0415cdea4
    2 0 1 e4eb54a7ffa552ef64d8e1ae338b69be909c29e6af57170a2f6f44df225e5a14

  - X1:
    2 0 2 
95bed189bf575a88e7935f5967154f74908d3c32662c3f0b66af8522a6af22653fd693a39efe3639f5134466c46a16ebb7e849890fde84324de645ffe7e892b1
    2 0 2 
1968a36bc5fe322e7c24084ba65bbc52f28d02cc900050752adc48f56e7c1963d4d86d5cdacd1b0cb58ba2beca65714f9216af8f2d3d3d8812dde451b9514846
    2 0 1 7fdce3bf4103c2684b3adbb5792884bd45c75094c217788863950346f79c90a3
    2 0 1 bdee0d7c8f9c278f14ea9b6a4f90ed665a9f56db0a56b1cdda6765912f398a5e

  - ISRG X1: expired 2024-09-30 cross-certificate from DST
    2 0 1 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
    2 0 2 
7adc2b5f11e5d12df7adb6cee95e04f7eca714404bff58849a360b910f3afbdc37235cdd99e33b4e82efeee16d598573a4e346e0a6bdc41f70b3603c6f4324fa

The correct sets of DANE-TA(2) TLSA records to use with Let's Encrypt
are either or both of:

    - ECDSA (E7-E9):
      2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
      2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5
      2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2

    - RSA (R12-R14):
      2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
      2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d
      2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 - 

>       #  | CA

latest DANE survey stats show many MX hosts with outdated LE CA TLSA records:

      #  | CA
    -----+-----
      58 | X3       -- obsolete
      11 | X4       -- obsolete
     304 | R3       -- obsolete
     103 | R4       -- obsolete
      97 | E1       -- obsolete
      80 | E2       -- obsolete
     583 | E5       -- obsolete
     581 | E6       -- obsolete
     775 | E7
     733 | E8
     443 | E9       -- missing for many ECDSA users!
     619 | R10      -- obsolete
     650 | R11      -- obsolete
     731 | R12
     722 | R13
     536 | R14      -- missing for many RSA users!
       2 | ISRG X1  -- obsolete expired DST cross-certificate
     624 | ISRG X1  -- 
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots
     281 | ISRG X2  -- 
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots

> If you still want to rely on TLSA records tied to the LE issuers, and
> haven't published the appropriate full set of hashes, better late than
> never.  And of course you'll need to keep up with the news from LE and
> make additional timely changes in the future as the CAs used by LE
> evolve.

The above advice is still relevant.

-- 
    Viktor.  🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[pfx] Reminder to drop TLSA RRs matching retired Let's Encrypt issuer CAs

Reply via email to