On Thu, Apr 20, 2017 at 11:40:20AM -0400, John wrote:
I am assuming that past threads on TLSA records still hold. Therefore 3/1/1, with optional 2/1/1 depending upon root cert provenance.
The provenance of the root cert is irrelevant. From a public CA (let's face it "everyone" is using Let's Encrypt lately) you'd typically use an intermediate CA as your DANE trust anchor.
For a private issuing CA it is more typical to see leaf certs issued directly by a root CA, but still use whatever CA is the direct issuer as the DANE trust-anchor.
I recommend using a private issuer CA for port 25. It is much too easy for backbone operators to mess with BGP routes, MiTM CA "domain validation" challenges and walk away with a fraudulent certificate. Perhaps some day "Certificate Transparency" will help detect the fraud after-the-fact, but "DV" certificates don't provide much more security value than the $0 you pay form them.
You can think of "Let's Encrypt" as opportunistic security for the World-Wide Web. The party doing the unauthenticated leap of faith key pinning is the CA, and then everyone else piggy-backs on the CA's success or failure (of course there are many CAs).
Now certainly not having a cert at all and doing HTTP in the clear is less secure than using a "DV" certificate, and "DV" certificates do protect against passive monitoring. So the "DV" ecosystem is doing some good. But "DV" cannot protect against targetted active attack, and "EV" does not scale.
So, for DANE, though use of "Let's Encrypt" with a combination of "3 1 1" + "2 1 1" TLSA records is a good place to start, a private CA is better. We just need to make using a private CA much easier than it currently is. I'd like to enhance the "postfix tls" CLI to support an issuing trust-anchor some time this year.
If you're wealthy enough to afford "EV" certs, you can of course use an EV-only intermediate for your "2 1 1" (or perhaps in that case "2 0 1") TLSA record. One might hope that "EV" certificate issuance is much more resistant to MiTM or other attempts to obtain fraudulent certificates.