On 2017-02-20 at 22:38 -0500, Viktor Dukhovni wrote:
Indeed this is the key issue. The certificate provided by Let's Encrypt should not be deployed as the live certificate used by the MTA until the DNS TLSA records have been in place for at least a couple of TTLs.
This is why I just use DANE on the CA certs, with a spare CA entry, so that I don't need to coordinate grace periods around updating DNS on each renewal.
For exim.org, it's just LE. I ended up dropping down to just X3 and X4.
For my own domains, it's LE and my private CAs.
For HPKP where there is a little more room inside the TCP stream and I set longer TTLs, I include a commercial CA too; if everything goes to hell and I end up paying for some certs for a year, I at least have an exit plan. I can add to DNS as-and-when needed.
-Phil