My previous post on this topic noted that covered Let's Encrypt are planning to *randomise* the choice of intermediate issuer CA used with each renewal.
It now turns out that they will also be switching to new underlying intermediate CAs. So you'll a random choice of *new* issuers.
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/L7XoAXt_s1c/...
- We will be generating 5 RSA and 5 ECDSA intermediates, instead of 2 each. We plan to automatically rotate issuance between multiple intermediates for improved redundancy.
- We will be shortening their validity period from 5 years to 3 years, to reflect our commitment to issue new intermediates every 2 years.
So anyone relying on DANE-TA(2) (certificate usage 2) needs to closely watch for upcoming announcements from LE, and be prepared to add TLSA records for the new intemediates soon. Or stop playing their game, and switch to a robust "3 1 1" + "3 1 1" model with a stable by default key during certificate renewals.