> Lutz, maybe you could shed some light on this issue? Indeed, for the record:
We do run a rolling CA, hence the CA keys are valid for two years and are used only for new certificates during the first year. Hence there are always two active CAs: One for certs issued in the current year, and one for still valid certs issued last year. Of course we need to have appropriate TLSA records for each active CA. Of course, only one of the records can match for a validation. During the yearly rollover you may even see three such records for several weeks. HTH
