New Let's Encrypt intermediate issuer CAs activated
It appears that starting a couple of days ago, newly issued/renewed Let's Encrypt (LE) certificates will be signed by R12, R13, E7 and E8, rather than the previously active R10, R11, E5 and E6. See the announcement at: https://community.letsencrypt.org/t/switching-issuance-to-new-intermediates/... and the associated advice on the DANE survey site: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Of course everyone who includes LE issuer CA public key or cert hashes in their TLSA records should already be covered by including all of R10-R14 and/or E5-E9, but sadly many are not, because the DANE survey shows that the MX host counts for the various LE CAs are skewed in favour of the previously active issuers: # | CA -----+----- 63 | X3 -- Long obsolete should not be used 12 | X4 -- Long obsolete should not be used 370 | R3 -- Long obsolete should not be used 119 | R4 -- Long obsolete should not be used 116 | E1 -- Long obsolete should not be used 91 | E2 -- Long obsolete should not be used 773 | E5 803 | E6 392 | E7 391 | E8 382 | E9 813 | R10 806 | R11 466 | R12 469 | R13 462 | R14 608 | ISRG X1 root 246 | ISRG X2 root If you still want to rely on TLSA records tied to the LE issuers, and haven't published the appropriate full set of hashes, better late than never. You'll need to do so now. And of course you'll need to keep up with the news from LE and make additional timely changes in the future as the CAs used by LE evolve. -- Viktor. 🇺🇦 Слава Україні!
On Sun, Aug 24, 2025 at 03:56:06AM +1000, Viktor Dukhovni wrote:
It appears that starting a couple of days ago, newly issued/renewed Let's Encrypt (LE) certificates will be signed by R12, R13, E7 and E8, rather than the previously active R10, R11, E5 and E6. See the announcement at:
https://community.letsencrypt.org/t/switching-issuance-to-new-intermediates/...
and the associated advice on the DANE survey site:
By this time all certificates issued by R10, R11, E5, E6 and all previously retired CAs have expired, and publishing TLSA records matching such CAs no longer makes sense (is such unnecessary bloat in your DNS data and an security exposure should their keys be compromised). Therefore, all the below DANE-TA(2) TLSA records should be dropped from all TLSA RRsets (some Cert(0) selectors appear multiple for the same CA because there are multiple versions of that intermediate CA's certificate with different issuers, ...). - R11: 2 1 2 8854317b0a187b35956b5fd361f6101c86be4741107be8847ef4e3f48abf53200f65414c281fbdf08218ff14d15d6d1c5f2e9a1f09d7ce39d0ecf6adb654ea4a 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 2 0 2 429fdae7d17a336879b0e6316ae6a5341ae5abb7ec7f7ed7eaad807228e346e7942378ef8cdd50cdd3b84670b0af274763d6e90d58eb3a483fb52d97f204b6da 2 0 1 591e9ce6c863d3a079e9fabe1478c7339a26b21269dde795211361024ae31a44 - R10: 2 1 2 86fb010ee652f162e22ba2ba48e45d3a19ee557ab8d2601aabd62c993a81417467bf9a8c50ba03f2315dfbb028478b22923bd87e3bbeeb02fc1f69104782eea4 2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba 2 0 2 c5d1dd8b4ee8a17a351bb0fa40cc020e9b3364c59d9006badecc61bd5ca0c2b9729eab50da166633e4b0360ab914c42aa74cca861640e0abe5514430bb0daeaa 2 0 1 9d7c3f1aa6ad2b2ec0d5cf1e246f8d9ae6cbc9fd0755ad37bb974b1f2fb603f3 - E6: 2 1 2 f8a2b4e23e82a4494e9998fcc4242bef1277656a118beede55ddfadcb82e20c5dc036dcb3b6c48d2ce04e362a9f477c82ad5a557b06b6f33b45ca6662b37c1c9 2 1 1 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7 2 0 2 afab698cbbbf892ebb555e09175056c1d4630fe7c350f44dcc6e71843d3b290df00d30ab4e356b630c69169d7633788338922fb637cf5b9f7be20a413eeaa518 2 0 2 3a2375d29a3e66a3dd3c758cb9c056e8f5e66cf7bb49f6ac0760d27c2b41546ab757990194fc09853110978381e1feb5da22abc8037887a3a7c8a02c471c7c08 2 0 1 76e9e288aafc0e37f4390cbf946aad997d5c1c901b3ce513d3d8fadbabe2ab85 2 0 1 065ab7d2a050f947587121765d8d070c0e1330d5798faa42c2072749ed293762 - E5: 2 1 2 a1ef14fea3ca15a552d42665d2fe685672cfdd903de4b370b0d7d87c6d31b5df07142483f36e0e15e16b58f9ba1cbdeeebd4bcb8d74ab7ea32a087db2105f402 2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8 2 0 2 4e32b7ee52c9bd2a15b2df3cae5e3b060d737d71faaaac25336c5f193cbdb52ed2fdf38b29aea9fb97f59c8f86e75b5c364309a232623a99e638116ed66063fd 2 0 2 4f104e5ec57f442f66e2fdab6147e63a153c2f558d8b73c398898c56b44d88792061b33cee2d8c2d10f456fc1a7382b1b3fd827293f7ebfb7bf51ef38ba356ba 2 0 1 5dfdb3cf31b26f23d87c09f3a0cef642f64069a9fb7cfe29270bb5dc0f1e16bb 2 0 1 e788d14b0436b5120bbee3f15c15badf08c1407fe72568a4f16f9151c380e1e3 - E2: 2 0 2 e8ec8405ab45605ae6e4a54efd6d626f663cb7e61a10d9a6a6a08b118e0d35763d0118e263a6db64516ca9f4e7f64fcd2b5dbf9e7a7ba265870606af26f4d855 2 0 1 bacde0463053ce1d62f8be74370bbae79d4fcaf19fc07643aef195e6a59bd578 2 1 2 23a30bd3b617652e97224e1faf673c4e09f1c197e4994274e676f2490893e9560d99f00a8859e399b2c65219ce2eb9b76784a0ec775ab4973a14fc1437ac7d9f 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 - E1: 2 0 2 0fc8bdb5b93d95bb016bb543bd74b859e4c18930964d59cfc305b93ef3212c0c20f3084ba98fbf7aac55d0d22c5b35566ed75bebe6d5a7c53ca1f949c45c3c8e 2 0 1 46494e30379059df18be52124305e606fc59070e5b21076ce113954b60517cda 2 1 2 3561540fbf182bce7749acc131b421e691f083569c053e78f20274714c5e801226ff6edb60641ddf70e71bd3a90dfe25ddd6464be78106b77dece4f6a3bff13d 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 - R4: 2 0 2 0f0b4dd77ee99d8ed5724da618b56017d08b757884796d087bf656e62d2717b5c913cb1e2eda07aacbfdbfdcb1ba5ba52114d54c000e05b0cb755256a61c0c37 2 0 1 1a07529a8b3f01d231dfad2abdf71899200bb65cd7e03c59fa82272533355b74 2 1 2 59a91d97d81980951d0ef3c6d849b31606af9ab2b0f7dcfac93a53ae3263eb8902c3b7c564f33ff496f2d07c750b1b6924968c243882af9e3532797eef596f27 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 - R3: 2 0 2 96c5793b2b57d8df5891c94015720960e0da4c2cf8ce1fc5707a0b46e5db8ce3761fb5fdb430f619d1579f13e80fbdd973ef6a024129ed039aa193273158fcad 2 0 1 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd 2 1 2 0f644c9a1dcb8c04be6b385a60dbe4fdf7e2b81e335c9ad8c7cd0abe2ff9e7e5bbfbb68b38dd0216f17808f48bdf6af8c6347659c1f41a9858032c31f436d12c 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d - X4: 2 0 2 964468a5c685f305aa5865c049d814770b844df2cf7645f9a4afaf42957e334bcf1f290babaafe020c4e9a68c5689d570e37f11114ffd676c95b17b3d768b932 2 0 2 74ddad9f8cdfa0fe6f6b70301b557a63a58b87fc2c17fae0f65e47d141226c062a74fa14861dc47a720bd8699b99091a06bd695cdde51222f837b9decfc270c5 2 0 1 a74b0c32b65b95fe2c4f8f098947a68b695033bed0b51dd8b984ecae89571bb6 2 0 1 5de9152bed31fa0515dd1fc746133f1327562ef72a84cf2d2403e748a604d0d4 2 1 2 a0f5d1333bc90bcea0b0b5f401160b6e7f28a1256bc5b5d65f04b06b0bb0c96270aa81d8e2726394d385bf3e9ee46eb4ab7548c782d5688cc16d0cdffefb8594 2 1 1 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b - X3: 2 0 2 2e1e12dacb350e69317a7f37d769f46f16f437cf8d392319279c93515e5600baed3d3acd5dc83b673e8c60cf7fba0dce00a4d162a3b966a3ebf72487c376fca0 2 0 2 5ec5b0783c6e667e0965df772943a06326768de0f75dc0bd2fe378f02ccca7d56c987656174cbe158cc29ecd763f8bda3454332cc7d47fb934691409c5fb8686 2 0 1 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d 2 0 1 731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568 2 1 2 774fad8c9a6afc2bdb44faba8390d213ae592fb0d56c5dfab152284e334d7cd6abd05799236e7aa6266edf81907c60404c57ee54c10a3a82fcc2a9146629b140 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 - X2: 2 0 2 0a46b8055caa27634ac8992ba5574e82aa6f9bd8079ced18ed561ba9062801281c26c06cf849f228d5dbc0d22e7487396723fc083f729ed40d25c519397623b3 2 0 2 070c005525584cb4ffc8ea0e6017f7cb27c995041701f60cb224293e6d398ca126ae11634e5bcc4103e28cf6c01d3bdd1fa2022b4cd9637ea69ab230f7605a37 2 0 1 ec0c6ca496a67a13342fec5221f68d4b3e53b1bc22f6e4bccc9c68f0415cdea4 2 0 1 e4eb54a7ffa552ef64d8e1ae338b69be909c29e6af57170a2f6f44df225e5a14 - X1: 2 0 2 95bed189bf575a88e7935f5967154f74908d3c32662c3f0b66af8522a6af22653fd693a39efe3639f5134466c46a16ebb7e849890fde84324de645ffe7e892b1 2 0 2 1968a36bc5fe322e7c24084ba65bbc52f28d02cc900050752adc48f56e7c1963d4d86d5cdacd1b0cb58ba2beca65714f9216af8f2d3d3d8812dde451b9514846 2 0 1 7fdce3bf4103c2684b3adbb5792884bd45c75094c217788863950346f79c90a3 2 0 1 bdee0d7c8f9c278f14ea9b6a4f90ed665a9f56db0a56b1cdda6765912f398a5e - ISRG X1: expired 2024-09-30 cross-certificate from DST 2 0 1 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f 2 0 2 7adc2b5f11e5d12df7adb6cee95e04f7eca714404bff58849a360b910f3afbdc37235cdd99e33b4e82efeee16d598573a4e346e0a6bdc41f70b3603c6f4324fa The correct sets of DANE-TA(2) TLSA records to use with Let's Encrypt are either or both of: - ECDSA (E7-E9): 2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5 2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2 - RSA (R12-R14): 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 -
# | CA
latest DANE survey stats show many MX hosts with outdated LE CA TLSA records: # | CA -----+----- 58 | X3 -- obsolete 11 | X4 -- obsolete 304 | R3 -- obsolete 103 | R4 -- obsolete 97 | E1 -- obsolete 80 | E2 -- obsolete 583 | E5 -- obsolete 581 | E6 -- obsolete 775 | E7 733 | E8 443 | E9 -- missing for many ECDSA users! 619 | R10 -- obsolete 650 | R11 -- obsolete 731 | R12 722 | R13 536 | R14 -- missing for many RSA users! 2 | ISRG X1 -- obsolete expired DST cross-certificate 624 | ISRG X1 -- https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots 281 | ISRG X2 -- https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots
If you still want to rely on TLSA records tied to the LE issuers, and haven't published the appropriate full set of hashes, better late than never. And of course you'll need to keep up with the news from LE and make additional timely changes in the future as the CAs used by LE evolve.
The above advice is still relevant. -- Viktor. 🇺🇦 Слава Україні!
[ Unmonitored security is an oxymoron. DO NOT deploy inbound DANE without timely monitoring of the correctness of your TLSA records: https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/6723WDB... ] Yet another Let's Encrypt-related announcement: further changes are due soon (by June 2026): As detailed in: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html and: https://letsencrypt.org/2025/05/14/ending-tls-client-authentication https://letsencrypt.org/2025/11/24/gen-y-hierarchy TL;DR, if your CA is Let's Encrypt, and despite all the churn, for some reason you still prefer DANE-TA(2) TLSA records (2 1 1), over DANE-EE(3) (3 1 1), the TLSA records to publish are: - ECDSA (E7–E9, YE1–YE3): 2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5 2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2 2 1 1 6ebcefb4210b088654a38b03fea3d7d1c711b4fb1ddc363a45f9b1a4e53da01e 2 1 1 b3fb5d00e994cddf2cc9a4eea9f806bc5727e83cc0e4299bf956f2d524fe5376 2 1 1 a698a20824be04e47a1a33c4fa488731be92011f23a31e900e2ca26c9c2acfce - RSA (R12–R14, YR1–YR3): 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 - 2 1 1 2e8307068b6db620e4a39d068b5dee5d6ef5788cbb2c0b6d23ead84fcc17178c 2 1 1 9d637b3d27a9e570d07607b9ccadb80a70915c7af72afce12841b1b1da825fd1 2 1 1 51aaa87d984b559ac69e929f888a022d832e089ff4dba0a412b5101bca4bc799 latest DANE survey stats show many MX hosts with outdated LE CA TLSA records: # | CA -----+----- 56 | X3 -- obsolete 10 | X4 -- obsolete 293 | R3 -- obsolete 102 | R4 -- obsolete 97 | E1 -- obsolete 80 | E2 -- obsolete 547 | E5 -- obsolete 548 | E6 -- obsolete 773 | E7 769 | E8 454 | E9 -- missing for many ECDSA users! 22 | YE1 -- Replaces E7–E9 by 2026-06 22 | YE2 -- Replaces E7–E9 by 2026-06 22 | YE3 -- Replaces E7–E9 by 2026-06 583 | R10 -- obsolete 616 | R11 -- obsolete 745 | R12 739 | R13 546 | R14 -- missing for many RSA users! 15 | YR1 -- Replaces R12–R14 by 2026-06 15 | YR2 -- Replaces R12–R14 by 2026-06 15 | YR3 -- Replaces R12–R14 by 2026-06 635 | ISRG X1 -- https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots 292 | ISRG X2 -- https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots 9 | ISRG YR -- https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots 9 | ISRG YE -- https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots And of course try to keep your MX hosts of the wall of shame: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#mxhosts -- Viktor. 🇺🇦 Слава Україні!
participants (1)
-
Viktor Dukhovni