Best practice TLSA RRs for CA-issued certs

Michael Grimm trashcan at
Thu Dec 29 20:31:24 CET 2016

On 14 Apr 2016, Viktor Dukhovni <ietf-dane at> wrote:

I know, that's an old mail :-) But I have saved it for the time I will be ready to deploy LE certificates. That time has come.

> One approach to making sure that DANE TLSA records are less likely
> to fail that should work well for sites using CA-issued certificates
> is to publish both "3 1 1" and "2 1 1" TLSA records:
>    mx.example. IN TLSA 3 1 1 <digest of server public key>
>    mx.example. IN TLSA 2 1 1 <digest of immediate issuer public key>
> In particular, this is the best practice with Let's Encrypt
> issued SMTP server certificates, as explained in:

First of all I do have to admit that I am lacking knowledge when it comes to certificates, in general. Sofar, I got along with selfsigned certificates that I did generate with the help of all those numerous howtos one can find. It worked.

If I do remember correctly, and if I do understand your conclusions in other mails correctly, long lasting selfsigned certificates plus periodically rotated TLSAs are still a good basis to run a secured mailserver at port 25. (FYI: I am using opendnssec for rotating every 3 month.)

After having read this best practice document, I am still hesitant to deploy a LE certificate to my mailserver's domain, because I do not understand all the implications, yet.

Thus I would like to raise some newbie questions regarding the following project:

	mailserver: with TLSA 3 1 1
	IMAP server:

#) Would it be possible to get *two* distinct LE certificates, one for the IMAP and one for the webserver ..
#) .. and simultaneously *keep* my selfsigned certificate for the the mailserver ..
#) .. and forget about the issues mentioned above?

#) Or should I strictly separate my mailserver from the rest by means of distinct domains, instead?

Excuses in advance if this are silly questions, but as I mentioned above, I am lacking skills w.r.t. certificates.

Thanks un advance and regards,

More information about the dane-users mailing list