On Mon, Sep 21, 2020 at 08:20:07AM -0400, micah anderson wrote:
> > Please note that the Let's Encrypt intermediate CA certificate "X3" will
> > soon be
> > phased out in favour of "R3" and "E1" which have new keys, and so any DANE
> > TLSA
> > "2 1 1" records matching "X3" will not match "R3" or "E1".
>
> Could you post the old record for the "X3" certificates? I think it
> might help to be able to find if one has it configured or not!
Below are all the hashes, for matching types SHA2-256(1) and SHA2-512(2),
of both the certificates (DANE selector Cert(0)) and their public keys
(DANE selector SPKI(1)). Note, I do not recommend publishing anything
other than "2 1 1", but if you have used one of the other values, the
below list may be helpful, though one would really hope that you have
some idea of what's in your TLSA records and why...
In particular if you have hashes in your TLSA records that don't match
anything in your current certificate chain or in an upcoming update,
then delete them. Random data you can't explain has no place in your
TLSA RRSet.
letsencryptauthorityx3.pem
_25._tcp.smtp.example.org. IN TLSA 2 1 1
60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
_25._tcp.smtp.example.org. IN TLSA 2 1 2
774FAD8C9A6AFC2BDB44FABA8390D213AE592FB0D56C5DFAB152284E334D7CD6ABD05799236E7AA6266EDF81907C60404C57EE54C10A3A82FCC2A9146629B140
_25._tcp.smtp.example.org. IN TLSA 2 0 1
731D3D9CFAA061487A1D71445A42F67DF0AFCA2A6C2D2F98FF7B3CE112B1F568
_25._tcp.smtp.example.org. IN TLSA 2 0 2
5EC5B0783C6E667E0965DF772943A06326768DE0F75DC0BD2FE378F02CCCA7D56C987656174CBE158CC29ECD763F8BDA3454332CC7D47FB934691409C5FB8686
letsencryptauthorityx4.pem
_25._tcp.smtp.example.org. IN TLSA 2 1 1
B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
_25._tcp.smtp.example.org. IN TLSA 2 1 2
A0F5D1333BC90BCEA0B0B5F401160B6E7F28A1256BC5B5D65F04B06B0BB0C96270AA81D8E2726394D385BF3E9EE46EB4AB7548C782D5688CC16D0CDFFEFB8594
_25._tcp.smtp.example.org. IN TLSA 2 0 1
5DE9152BED31FA0515DD1FC746133F1327562EF72A84CF2D2403E748A604D0D4
_25._tcp.smtp.example.org. IN TLSA 2 0 2
74DDAD9F8CDFA0FE6F6B70301B557A63A58B87FC2C17FAE0F65E47D141226C062A74FA14861DC47A720BD8699B99091A06BD695CDDE51222F837B9DECFC270C5
lets-encrypt-r3.pem
_25._tcp.smtp.example.org. IN TLSA 2 1 1
8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
_25._tcp.smtp.example.org. IN TLSA 2 1 2
0F644C9A1DCB8C04BE6B385A60DBE4FDF7E2B81E335C9AD8C7CD0ABE2FF9E7E5BBFBB68B38DD0216F17808F48BDF6AF8C6347659C1F41A9858032C31F436D12C
_25._tcp.smtp.example.org. IN TLSA 2 0 1
67ADD1166B020AE61B8F5FC96813C04C2AA589960796865572A3C7E737613DFD
_25._tcp.smtp.example.org. IN TLSA 2 0 2
96C5793B2B57D8DF5891C94015720960E0DA4C2CF8CE1FC5707A0B46E5DB8CE3761FB5FDB430F619D1579F13E80FBDD973EF6A024129ED039AA193273158FCAD
lets-encrypt-r4.pem
_25._tcp.smtp.example.org. IN TLSA 2 1 1
E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77990F2D03
_25._tcp.smtp.example.org. IN TLSA 2 1 2
59A91D97D81980951D0EF3C6D849B31606AF9AB2B0F7DCFAC93A53AE3263EB8902C3B7C564F33FF496F2D07C750B1B6924968C243882AF9E3532797EEF596F27
_25._tcp.smtp.example.org. IN TLSA 2 0 1
1A07529A8B3F01D231DFAD2ABDF71899200BB65CD7E03C59FA82272533355B74
_25._tcp.smtp.example.org. IN TLSA 2 0 2
0F0B4DD77EE99D8ED5724DA618B56017D08B757884796D087BF656E62D2717B5C913CB1E2EDA07AACBFDBFDCB1BA5BA52114D54C000E05B0CB755256A61C0C37
lets-encrypt-e1.pem
_25._tcp.smtp.example.org. IN TLSA 2 1 1
276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
_25._tcp.smtp.example.org. IN TLSA 2 1 2
3561540FBF182BCE7749ACC131B421E691F083569C053E78F20274714C5E801226FF6EDB60641DDF70E71BD3A90DFE25DDD6464BE78106B77DECE4F6A3BFF13D
_25._tcp.smtp.example.org. IN TLSA 2 0 1
46494E30379059DF18BE52124305E606FC59070E5B21076CE113954B60517CDA
_25._tcp.smtp.example.org. IN TLSA 2 0 2
0FC8BDB5B93D95BB016BB543BD74B859E4C18930964D59CFC305B93EF3212C0C20F3084BA98FBF7AAC55D0D22C5B35566ED75BEBE6D5A7C53CA1F949C45C3C8E
lets-encrypt-e2.pem
_25._tcp.smtp.example.org. IN TLSA 2 1 1
BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270
_25._tcp.smtp.example.org. IN TLSA 2 1 2
23A30BD3B617652E97224E1FAF673C4E09F1C197E4994274E676F2490893E9560D99F00A8859E399B2C65219CE2EB9B76784A0EC775AB4973A14FC1437AC7D9F
_25._tcp.smtp.example.org. IN TLSA 2 0 1
BACDE0463053CE1D62F8BE74370BBAE79D4FCAF19FC07643AEF195E6A59BD578
_25._tcp.smtp.example.org. IN TLSA 2 0 2
E8EC8405AB45605AE6E4A54EFD6D626F663CB7E61A10D9A6A6A08B118E0D35763D0118E263A6DB64516CA9F4E7F64FCD2B5DBF9E7A7BA265870606AF26F4D855
In the final analysis, "3 1 1" is starting to look not only more secure,
but also, perhaps surpsingly, simpler to manage. The medium-term
stability of issuer CA certs lulls the user into unwise procrastination.
The DANE-TA(2) use-case is more apporpriate for private CAs you yourself
control, than delegation of trust to a public CA, whose use of a
particular set of keys or certs is not under your control and may change
with little notice.
--
Viktor.
