Hello, Just to ensure I've understood this well: if I'm using "3 1 1" I don't need to change anything, right?
thanks patpro September 21, 2020 9:49 AM, "Viktor Dukhovni" <postfix-us...@dukhovni.org> wrote: > On Mon, Sep 21, 2020 at 04:22:42AM -0200, Viktor Dukhovni wrote: > >> Links to the actual certificates can be found at: >> >> https://letsencrypt.org/certificates >> https://letsencrypt.org/certs/lets-encrypt-r3.pem >> https://letsencrypt.org/certs/lets-encrypt-e1.pem >> >> The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it, >> re-compute these for yourself): >> >> ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1 >> ; >> _25._tcp.smtp.example.org. IN TLSA 2 1 1 >> 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D >> >> ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1 >> ; >> _25._tcp.smtp.example.org. IN TLSA 2 1 1 >> 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 > > It was correclty noted in: > > https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane > > that the "backup" CAs should also be listed, as LE might need to switch > to using them in an emergency without prior notice. > > Therefore the full list of DANE-TA(2) digests to publish (when relying > on these rather than "3 1 1" records) is: > > ; (These can be retired soon, but not just yet) > ; > ; letsencryptauthorityx3.pem > ; letsencryptauthorityx4.pem > ; > _25._tcp.smtp.example.org. IN TLSA 2 1 1 > 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18 > _25._tcp.smtp.example.org. IN TLSA 2 1 1 > B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B > > ; (May not be needed if your leaf cert is RSA, ECDSA certs > ; will I expect be soon signed with one of these). > ; > ; lets-encrypt-e1.pem > ; lets-encrypt-e2.pem > ; > _25._tcp.smtp.example.org. IN TLSA 2 1 1 > 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 > _25._tcp.smtp.example.org. IN TLSA 2 1 1 > BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270 > > ; (May not be needed if your leaf cert is ECDSA, once > ; ECDSA certificate issuance cuts over to e1/e2). > ; > ; lets-encrypt-r3.pem > ; lets-encrypt-r4.pem > ; > _25._tcp.smtp.example.org. IN TLSA 2 1 1 > 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D > _25._tcp.smtp.example.org. IN TLSA 2 1 1 > E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77990F2D03 > > -- > Viktor.
