On 2017-02-20 at 22:38 -0500, Viktor Dukhovni wrote: > Indeed this is the key issue. The certificate provided by Let's Encrypt > should not be deployed as the live certificate used by the MTA until the > DNS TLSA records have been in place for at least a couple of TTLs.
This is why I just use DANE on the CA certs, with a spare CA entry, so that I don't need to coordinate grace periods around updating DNS on each renewal. For exim.org, it's just LE. I ended up dropping down to just X3 and X4. For my own domains, it's LE and my private CAs. For HPKP where there is a little more room inside the TCP stream and I set longer TTLs, I include a commercial CA too; if everything goes to hell and I end up paying for some certs for a year, I at least have an exit plan. I can add to DNS as-and-when needed. -Phil
