TLSA record hygiene for Let's Encrypt issuer CAs

[ Please read carefully, this post covers multiple Let's Encrypt-related topics ]

Some SMTP server operators have chosen to publish DANE TLSA records for their MX hosts that match one or more of the Let's Encrypt issuer CAs:

https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#cas

The "2 1 1" RRset to match one of R10–R14 should list them all, because certificate renewal randomly chooses of the active CAs (currently R10 and R11, but could as needed be one of the R12–R14 backups):

_25._tcp.mx.some.example. 2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba ; R10 _25._tcp.mx.some.example. 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 ; R11 _25._tcp.mx.some.example. 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4 ; R12 _25._tcp.mx.some.example. 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d ; R13 _25._tcp.mx.some.example. 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 ; R14

The "2 1 1" RRset to match one of E5–E9 should list them all, because certificate renewal randomly chooses of the active CAs (currently E5 and E6, but could as needed be one of the E7–E9 backups):

_25._tcp.mx.some.example. 2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8 ; E5 _25._tcp.mx.some.example. 2 1 1 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7 ; E6 _25._tcp.mx.some.example. 2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 ; E7 _25._tcp.mx.some.example. 2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5 ; E8 _25._tcp.mx.some.example. 2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2 ; E9

Users whose MX hosts have both ECDSA and RSA certificates from Let's Encrypt, or who are switching between RSA and ECDSA keys (unclear to me whether or under what conditions this can happen automatically) may need to list all 10 intermediate CA RRs.

Some operators have chosen to publish TLSA records matching the ISRG Root CAs that are the issuers of the above intermediate certs. The "2 1 1" records for these are:

2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3 ; ISRG X1 (RSA 4096-bit) 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332 ; ISRG X2 (ECDSA P384)

The R10–R14 intermediate CA certificates are issued by "ISRG X1", while the E5–E9 intermediate CA certificates are issued by "ISRG X2". Though the root issuer is presently stable for a given server key type (RSA or ECDSA), I still recommend listing them both when listing either.

More critically, when listing the root CAs, the operator MUST make sure to include the root CA certificate in the server's configured chain file. Listing just the EE + intermediate cert (or sometimes just the EE cert) is not sufficient. See:

https://datatracker.ietf.org/doc/html/rfc7671#section-5.2.2 https://datatracker.ietf.org/doc/html/rfc7671#section-5.2.3

And of course when using "DANE-TA(2) X X" TLSA records, the server's EE certificate MUST be part of a chain with at least the intermediate CA certs.

It is also essential to keep track of periodic changes in the set of CAs used by the Let's Encrypt. As currently listed at:

https://letsencrypt.org/certificates/

and periodically announced on their blog, e.g.:

https://letsencrypt.org/2024/04/12/changes-to-issuance-chains/

In relation to keep track, I want to mention that a small, but non-trivial fraction of DANE MTA operators have failed to remove already long-retired CAs from their TLSA records (or, in a few cases, even switch from these to the active CAs!). These records SHOULD be removed. See

https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#mxhosts

These include:

- 1 MX hosts publishing X1 (DST root):

IN TLSA 2 0 1 7fdce3bf4103c2684b3adbb5792884bd45c75094c217788863950346f79c90a3

subject=C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1 issuer=O=Digital Signature Trust Co., CN=DST Root CA X3 notBefore=Oct 19 22:33:36 2015 GMT notAfter=Oct 19 22:33:36 2020 GMT

- 14 MX hosts publishing X3 (DST root):

IN TLSA 2 0 1 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d

subject=C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 issuer=O=Digital Signature Trust Co., CN=DST Root CA X3 notBefore=Mar 17 16:40:46 2016 GMT notAfter=Mar 17 16:40:46 2021 GMT

- 57 MX hosts publishing X3:

IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 IN TLSA 2 1 2 774fad8c9a6afc2bdb44faba8390d213ae592fb0d56c5dfab152284e334d7cd6abd05799236e7aa6266edf81907c60404c57ee54c10a3a82fcc2a9146629b140

subject=C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 notBefore=Oct 6 15:43:55 2016 GMT notAfter=Oct 6 15:43:55 2021 GMT

- 14 MX hosts publishing X4:

IN TLSA 2 1 1 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b

subject=C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 notBefore=Oct 6 15:44:34 2016 GMT notAfter=Oct 6 15:44:34 2021 GMT

- 398 MX hosts publishing R3:

IN TLSA 2 0 1 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd IN TLSA 2 0 2 96c5793b2b57d8df5891c94015720960e0da4c2cf8ce1fc5707a0b46e5db8ce3761fb5fdb430f619d1579f13e80fbdd973ef6a024129ed039aa193273158fcad IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d IN TLSA 2 1 2 0f644c9a1dcb8c04be6b385a60dbe4fdf7e2b81e335c9ad8c7cd0abe2ff9e7e5bbfbb68b38dd0216f17808f48bdf6af8c6347659c1f41a9858032c31f436d12c

subject=C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 notBefore=Oct 6 15:44:34 2016 GMT notAfter=Oct 6 15:44:34 2021 GMT

- 134 MX hosts publishing R4:

IN TLSA 2 0 1 1a07529a8b3f01d231dfad2abdf71899200bb65cd7e03c59fa82272533355b74 IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 IN TLSA 2 1 2 59a91d97d81980951d0ef3c6d849b31606af9ab2b0f7dcfac93a53ae3263eb8902c3b7c564f33ff496f2d07c750b1b6924968c243882af9e3532797eef596f27

subject=C=US, O=Let's Encrypt, CN=R4 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 notBefore=Sep 4 00:00:00 2020 GMT notAfter=Sep 15 16:00:00 2025 GMT

- 125 MX hosts publishing E1

IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 IN TLSA 2 1 2 3561540fbf182bce7749acc131b421e691f083569c053e78f20274714c5e801226ff6edb60641ddf70e71bd3a90dfe25ddd6464be78106b77dece4f6a3bff13d

subject=C=US, O=Let's Encrypt, CN=E1 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X2 notBefore=Sep 4 00:00:00 2020 GMT notAfter=Sep 15 16:00:00 2025 GMT

- 100 MX hosts publishing E2

IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 IN TLSA 2 1 2 23a30bd3b617652e97224e1faf673c4e09f1c197e4994274e676f2490893e9560d99f00a8859e399b2c65219ce2eb9b76784a0ec775ab4973a14fc1437ac7d9f

subject=C=US, O=Let's Encrypt, CN=E2 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X2 notBefore=Sep 4 00:00:00 2020 GMT notAfter=Sep 15 16:00:00 2025 GMT

- 2 MX hosts publishing the long expired cross-signed by DST ISRG Root X1:

IN TLSA 2 0 1 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f

subject=C=US, O=Internet Security Research Group, CN=ISRG Root X1 issuer=O=Digital Signature Trust Co., CN=DST Root CA X3 notBefore=Jan 20 19:14:03 2021 GMT notAfter=Sep 30 18:14:03 2024 GMT