On Mon, Aug 26, 2024 at 12:15:47AM +1000, Viktor Dukhovni wrote:
The major changes in the Let's Encrypt issuer CA lineup noted in my previous post:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/ZTM3XQMI3XP7PWMWJTXBYDPVU4UENE24/
are now largely completed. Of the ~46000 domains with working DANE-TA(2) TLSA records matching a Let's Encrypt intermediate issuer, just 62 are still based on R3, and none on X3, X4, R4, E1 or E2.
These last few R3 issued certificates will either be renewed or will expire by September 4th.
Therefore, if you haven't done so already, please read the fine advice in:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
and switch to R10..R14 or E5..E9 (or rarely both) as appropriate.
With all the R3, R4, E1 and E2 certifiates now expired, I've updated the text of the above webpage, and added MX hosts still listing R3, R4, E1 or E2 to the table:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#stale
Please be sure to publish TLSA records for the FULL list of CAs in each group:
- R10–R14 if using any of these. - E5–E9 if using any of these. - ISRG X1 and ISRG X2 if using either of these.
It is disappointing to see some operators react to a survey notice of a problem by publishing a single TLSA RR matching e.g. just R10, only to have a problem ~30-60 days later when the new certificate is from R11.
They may then publish, just both R10 and R11, leaving out R12–R14, which might be used with little warning, if needed.
Such dogged failure to plan for the inevitable is not a positive character trait. :-(