and that your warning is re: the "2 1 1" use case. correct?
Yes.
My intention is to verify i've got my "3 1 2" setup working after monkeying with it, and unpublish the "2 1 1" records.
That will improve security (avoids trust in weak DV cert issuance), and provided you have good monitoring, and a robust "3 1 1 + 3 1 1" rollover process (when changing keys), you should be all set.
thx for this, and yesterday's comments.
after simplifying to just the "3 1 2" certs, i see the one-algo-not-the-other 'good' results @ online checks,
https://stats.dnssec-tools.org/explore/ https://dane.sys4.de https://dnsviz.net/ https://www.huque.com/bin/danecheck
, as you'd warned.
i've switched out my own monitoring for danesmtp. once i remembered that running it from my residential lan was hitting ISP port 25 blocks (::facepalm::), it's easy enough for once a day scans, and notify on fail, for each of my certs+algos checks.
cheers!