[ Unmonitored security is an oxymoron. DO NOT deploy inbound DANE
without timely monitoring of the correctness of your TLSA records:
https://list.sys4.de/hyperkitty/list/[email protected]/message/6723WDBLPYWSXAORTAJR7EPAIOFAP5N4/
]
Yet another Let's Encrypt-related announcement: further changes are due
soon (by June 2026): As detailed in:
<https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html>
and:
<https://letsencrypt.org/2025/05/14/ending-tls-client-authentication>
<https://letsencrypt.org/2025/11/24/gen-y-hierarchy>
TL;DR, if your CA is Let's Encrypt, and despite all the churn, for some
reason you still prefer DANE-TA(2) TLSA records (2 1 1), over DANE-EE(3)
(3 1 1), the TLSA records to publish are:
- ECDSA (E7–E9, YE1–YE3):
2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5
2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2
2 1 1 6ebcefb4210b088654a38b03fea3d7d1c711b4fb1ddc363a45f9b1a4e53da01e
2 1 1 b3fb5d00e994cddf2cc9a4eea9f806bc5727e83cc0e4299bf956f2d524fe5376
2 1 1 a698a20824be04e47a1a33c4fa488731be92011f23a31e900e2ca26c9c2acfce
- RSA (R12–R14, YR1–YR3):
2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d
2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888
-
2 1 1 2e8307068b6db620e4a39d068b5dee5d6ef5788cbb2c0b6d23ead84fcc17178c
2 1 1 9d637b3d27a9e570d07607b9ccadb80a70915c7af72afce12841b1b1da825fd1
2 1 1 51aaa87d984b559ac69e929f888a022d832e089ff4dba0a412b5101bca4bc799
latest DANE survey stats show many MX hosts with outdated LE CA TLSA records:
# | CA
-----+-----
56 | X3 -- obsolete
10 | X4 -- obsolete
293 | R3 -- obsolete
102 | R4 -- obsolete
97 | E1 -- obsolete
80 | E2 -- obsolete
547 | E5 -- obsolete
548 | E6 -- obsolete
773 | E7
769 | E8
454 | E9 -- missing for many ECDSA users!
22 | YE1 -- Replaces E7–E9 by 2026-06
22 | YE2 -- Replaces E7–E9 by 2026-06
22 | YE3 -- Replaces E7–E9 by 2026-06
583 | R10 -- obsolete
616 | R11 -- obsolete
745 | R12
739 | R13
546 | R14 -- missing for many RSA users!
15 | YR1 -- Replaces R12–R14 by 2026-06
15 | YR2 -- Replaces R12–R14 by 2026-06
15 | YR3 -- Replaces R12–R14 by 2026-06
635 | ISRG X1 --
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots
292 | ISRG X2 --
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots
9 | ISRG YR --
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots
9 | ISRG YE --
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#roots
And of course try to keep your MX hosts of the wall of shame:
<https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html#mxhosts>
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
