hi,
If you prefer to instead pin the ISRG root CAs, you MUST ensure that your SMTP server's chain file also includes the ISRG X1 or ISRG X2 root (whichever happened to issue the intermediate CA cert), and then you can publish TLSA records matching these roots.
thx for the heads-up.
i'm using dane "3 1 2" records; all checks are good.
i note LE's current Chain of Trust currently are
roots: ISRG Root X1: RSA 4096, until 2030-06-04 (generated 2015-06-04) ISRG Root X2: ECDSA P-384, until 2035-09-04 (generated 2020-09-04) and
intermediates: Let’s Encrypt E5: ECDSA P-384, until 2027-03-12 Let’s Encrypt E6: ECDSA P-384, until 2027-03-12 Let’s Encrypt R10: RSA 2048, until 2027-03-12 Let’s Encrypt R11: RSA 2048, until 2027-03-12
to date, my cert generation has had
DEFAULT_PREFERRED_CHAIN='ISRG Root X1'
, i.e. RSA.
and, i publish both RSA and ECDSA DANE records.
reading @
https://letsencrypt.org/upcoming-features/ Completed Features ECDSA Root and Intermediates
Enabled: June 06, 2024
We are issuing certificates from our production ECDSA intermediates to ECDSA leaf certificates. See the Chains of Trust documentation for full details on our PKI hierarchy.
iiuc, that's full/official support for ECDSA issuance.
and a switch to ECDSA
DEFAULT_PREFERRED_CHAIN='ISRG Root X2'
should be (?) reasonably well tolerated.
i'm unclear on
is it DANE-safe? or DANE-recommended?
(re-)reading the OP, I _think_ we're ok ... but, best to double-check.