[Top] [All Lists]

Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

2020-03-03 15:06:27
On 2020-03-03 at 13:50 +0000, Дилян Палаузов wrote:
on a very short notice, Let’s Encrypt revokes its certificates with the 
message below.  This effectively means to start
and complete TLSA/DANE/DNSSEC certificate rollover within 24h.

Is this possible in general, when the DNS TTL on its own is 24h?  Do I 
understand something wrong, stating  that this
mass revokation is just bad for DANE+SMTP?

What is the right way to mass revoke certificates involved in DANE?

Make sure that the CA certificate is sent on the TLS connection too.

Pin the registrar cert via its public key, not just your own cert.


; For Let's Encrypt, where they have multiple signing paths, we use
; public-key hashing, not certificate hashing.
; This avoids breakage given, eg, IdenTrust vs other authority paths.
_letsencrypt-tlsa IN TLSA ( 02 01 01 
60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ) ; X1 & X3
_letsencrypt-tlsa IN TLSA ( 02 01 01 
b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b ) ; X2 & X4

and then CNAME to that for each service affected.

I really am not a fan of DANE-EE (Usage 3) certs.  It always seems so
fragile, to be doing DNS timeout dances and pre-issuing replacement
certs, and relying upon others not using resolvers which cache for too

DANE-TA (Usage 2) identifying the public key of the Certificate
Authority (so that their re-issuing the cert doesn't break you, eg Let's
Encrypt X1 vs X3) is a much more robust setup IMO.

Usage:          DANE-TA(2)
Selector:       SPKI(1)
Matching Type:  SHA2-256(1)

I use a single TLSA record for each "group of CAs which might be valid
here" and then CNAMEs for each service using it.

Note that Let's Encrypt have a second standby CA ready to use, X4, to go
with their active X3.
Publish the fingerprints of the public keys of both X3 and X4.


ietf-smtp mailing list