On Mon, Jun 10, 2024 at 12:46:39PM +0200, Kirill Miazine wrote:
This has now (as of 2024-06-06) taken place, and I'm starting to see Let's Encrypt certificates from R10, R11, E5 and E6, and of course one's TLSA published TLSA RRset should always include the backup issuers.
However, it is possible to publish TLSA RRs that match just the "R*" CAs when you have RSA keys, or just the "E*" CAs for ECDSA keys. But don't forget to take appropriate action before switching algorithms or choosing to have keys/certs for both algorithms.
For more details:
beware that publishing TLSA RRs for *all* LE keys (10+4 for now, and only 10 in 3 months' time) could cause trouble when exchange online tries to do delivery... see https://www.mail-archive.com/mailop@mailop.org/msg22141.html for more details.
Are you sure the issue related to the TLSA DNS response size? Note also that an MX with just RSA keys or just ECDSA keys needs only half (5) of the new intermediate CA records and at most one of the legacy CA records (since the E2 and R4 backups will never be used at this point).
So 6 records rather than 14 should be enough, or 12 for both RSA and ECDSA. Or if one post-processes the chain file to append the root CA certs, just two TLSA records (matching ISRG X1 and X2) would suffice.
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html