On Thu, Nov 27, 2025 at 11:19:14AM +0100, Geert Hendrickx via Postfix-users
wrote:
> On Fri, Nov 21, 2025 at 14:51:57 +1100, Viktor Dukhovni via Postfix-users
> wrote:
> > If you still want to rely on TLSA records tied to the LE issuers, and
> > haven't published the appropriate full set of hashes, better late than
> > never. And of course you'll need to keep up with the news from LE and
> > make additional timely changes in the future as the CAs used by LE
> > evolve.
>
>
> Let's Encrypt users with TLSA 2 1 1 should also start adding TLSA records
> for the new "Generation Y" intermediates:
>
> https://letsencrypt.org/2025/11/24/gen-y-hierarchy
>
> They will start issuing certificates from this hierarchy as of next month,
> at least for users of the "tlsserver" and "shortlived" profiles.
Good point, thanks! Do you have any suggested text for:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
and are you perhaps willing/able to post a similar follow-up to the
<[email protected]> and/or <[email protected]> lists?
[ Though my main take away from all this is that "2 1 1" is much too
volatile for most Let's Encrypt users, and they really need to
consider switching to "3 1 1". ]
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
