• Viktor Dukhovni [2024-06-07 10:54]: [...]
This has now (as of 2024-06-06) taken place, and I'm starting to see Let's Encrypt certificates from R10, R11, E5 and E6, and of course one's TLSA published TLSA RRset should always include the backup issuers.
However, it is possible to publish TLSA RRs that match just the "R*" CAs when you have RSA keys, or just the "E*" CAs for ECDSA keys. But don't forget to take appropriate action before switching algorithms or choosing to have keys/certs for both algorithms.
For more details:
[...]
beware that publishing TLSA RRs for *all* LE keys (10+4 for now, and only 10 in 3 months' time) could cause trouble when exchange online tries to do delivery... see https://www.mail-archive.com/mailop@mailop.org/msg22141.html for more details.