On Mon, Aug 26, 2024 at 12:15:47AM +1000, Viktor Dukhovni wrote:
> The major changes in the Let's Encrypt issuer CA lineup noted in my
> previous post:
>
>
> https://list.sys4.de/hyperkitty/list/[email protected]/message/ZTM3XQMI3XP7PWMWJTXBYDPVU4UENE24/
>
> are now largely completed. Of the ~46000 domains with working
> DANE-TA(2) TLSA records matching a Let's Encrypt intermediate issuer,
> just 62 are still based on R3, and none on X3, X4, R4, E1 or E2.
>
> These last few R3 issued certificates will either be renewed or will
> expire by September 4th.
>
> Therefore, if you haven't done so already, please read the fine advice
> in:
>
> https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
>
> and switch to R10..R14 or E5..E9 (or rarely both) as appropriate.
With all the R3, R4, E1 and E2 certifiates now expired, I've updated
the text of the above webpage, and added MX hosts still listing
R3, R4, E1 or E2 to the table:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#stale
Please be sure to publish TLSA records for the FULL list of CAs in each
group:
- R10–R14 if using any of these.
- E5–E9 if using any of these.
- ISRG X1 and ISRG X2 if using either of these.
It is disappointing to see some operators react to a survey notice of a
problem by publishing a single TLSA RR matching e.g. just R10, only to
have a problem ~30-60 days later when the new certificate is from R11.
They may then publish, just both R10 and R11, leaving out R12–R14, which
might be used with little warning, if needed.
Such dogged failure to plan for the inevitable is not a positive
character trait. :-(
--
Viktor.
