Please drop TLSA records matching retired Let's Encrypt CAs
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Sep 30 17:30:26 CEST 2021
The DANE survey continues to observe a "long tail" of MX hosts with TLSA
records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.
If you're publishing TLSA records with Let's Encrypt issuer CA hashes,
the "X3" and "X4" CAs should no longer appear in your TLSA RRset. Also
be sure to use "2 1 1" and not "2 0 1" or "2 0 2" TLSA parameters.
For details see:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
The MX host counts for the various LE CAs are:
# | CA
------+----
538 | X3
248 | X4
1133 | R3
436 | R4
483 | E1
396 | E2
* The counts for X3 and X4 should by now be 0.
* Every MX host that publishes R3 should also publish R4.
* Every MX host publishing E1 should also publish E2.
* The simplest strategy is to publish all four of R3,R4,E1 and E2
--
Viktor.
More information about the dane-users
mailing list