hi,
a bit late, well early, to focus on all your comments, so will do that in a while ...
but, one quick question re:
Note also that the "ISRG X1" or "ISRG X2" root CA cert (whichever is the issuer of your intermediate CA cert) is not included in your server certificate chain file, so the TLSA records for these won't work with at least the DANE TLSA code in Postfix and Exim and likely other MTAs.
my Postfix config has
smtpd_tls_chain_files = /sec/ssl/le/deploy/deploy/${v_MY_DOM}/priv.ec.key, /sec/ssl/le/deploy/deploy/${v_MY_DOM}/fullchain.ec.crt.pem, /sec/ssl/le/deploy/deploy/${v_MY_DOM}/priv.rsa.key, /sec/ssl/le/deploy/deploy/${v_MY_DOM}/fullchain.rsa.crt.pem
where LE's fullchain certs are the usual concat of my dom's cert.pem with their intermediate cert chain.
so, as said, NOT including the X1 and X1 root certs.
my understanding of the "3 1 2" records is that the inclusion of the X1/X2 root certs is _not_ required.
and that your warning is re: the "2 1 1" use case. correct?
atm, i cleaned up my includes -- removing the old/deprecated intermediated -- and have the current ones published. my intention is to verify i've got my "3 1 2" setup working after monkeying with it, and unpublish the "2 1 1" records.
thx for the reminder re: self-checking with danesmtp!