• Viktor Dukhovni [2024-06-07 10:54]:
[...]
This has now (as of 2024-06-06) taken place, and I'm starting to see
Let's Encrypt certificates from R10, R11, E5 and E6, and of course one's
TLSA published TLSA RRset should always include the backup issuers.
However, it is possible to publish TLSA RRs that match just the "R*" CAs
when you have RSA keys, or just the "E*" CAs for ECDSA keys. But don't
forget to take appropriate action before switching algorithms or
choosing to have keys/certs for both algorithms.
For more details:
-https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
[...]
beware that publishing TLSA RRs for *all* LE keys (10+4 for now, and
only 10 in 3 months' time) could cause trouble when exchange online
tries to do delivery... see
https://www.mail-archive.com/[email protected]/msg22141.html for more
details.
