Please drop TLSA records matching retired Let's Encrypt CAs

Viktor Dukhovni ietf-dane at
Thu Sep 30 17:30:26 CEST 2021

The DANE survey continues to observe a "long tail" of MX hosts with TLSA 
records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.

If you're publishing TLSA records with Let's Encrypt issuer CA hashes,
the "X3" and "X4" CAs should no longer appear in your TLSA RRset.  Also
be sure to use "2 1 1" and not "2 0 1" or "2 0 2" TLSA parameters.
For details see:

The MX host counts for the various LE CAs are:

      #   | CA 
      538 | X3
      248 | X4
     1133 | R3
      436 | R4
      483 | E1
      396 | E2

* The counts for X3 and X4 should by now be 0.
* Every MX host that publishes R3 should also publish R4.
* Every MX host publishing E1 should also publish E2.
* The simplest strategy is to publish all four of R3,R4,E1 and E2


More information about the dane-users mailing list