Hi
• Viktor Dukhovni [2024-06-10 14:00]:
On Mon, Jun 10, 2024 at 12:46:39PM +0200, Kirill Miazine wrote:
This has now (as of 2024-06-06) taken place, and I'm starting to see Let's Encrypt certificates from R10, R11, E5 and E6, and of course one's TLSA published TLSA RRset should always include the backup issuers.
However, it is possible to publish TLSA RRs that match just the "R*" CAs when you have RSA keys, or just the "E*" CAs for ECDSA keys. But don't forget to take appropriate action before switching algorithms or choosing to have keys/certs for both algorithms.
For more details:
beware that publishing TLSA RRs for *all* LE keys (10+4 for now, and only 10 in 3 months' time) could cause trouble when exchange online tries to do delivery... see https://www.mail-archive.com/mailop@mailop.org/msg22141.html for more details.
Are you sure the issue related to the TLSA DNS response size? Note also that an MX with just RSA keys or just ECDSA keys needs only half (5) of the new intermediate CA records and at most one of the legacy CA records (since the E2 and R4 backups will never be used at this point).
I didn't say it was related to DNS response size, as I don't have any insight into what is going on at Microsoft -- it was just an observation that Microsoft seems to choke on DNSSEC validation when number of TLSA RRs is getting high with a rather misleading error message: "dnssec-invalid: Destination domain returned invalid DNSSEC records"
Testing with sending from Outlook to domains with increasing number of TLSA RRs gave me the number of TLSA RRs Microsoft was able to validate: 12. I don't have any insight in whatever Microsoft is doing, but I was notified of a similar issue by a local mail provider with some tens of thousands mailboxes, so I shared the observations with the fellow postmasters.
So 6 records rather than 14 should be enough, or 12 for both RSA and ECDSA. Or if one post-processes the chain file to append the root CA certs, just two TLSA records (matching ISRG X1 and X2) would suffice.
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Yeah, once the issue is known, the solutions are multiple.
Notifying dane-users of my mailop post was solely due to the following sentence on the page above:
If your server has both RSA and ECDSA keys, you'll need to publish TLSA records matching both the "R*" and "E*" issuer CAs.
Counting records matching both the "R*" and "E*" issuer CAs in the table on that page gives me 14.
I used to have LE TLSAs referenced by a single name, it worked well since 2020, when I first started using DANE. IIRC E* certs appeared during the previous round of intermediate certs update. But the number was still manageable. Now I'll just have TLSA RRs in two names: one for RSA and one for ECDSA.