[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

Ralph Seichter via Postfix-users writes: > * Byung-Hee HWANG via Postfix-users: > >> Honestly, 311 it was not easy to set up to me. > > These days, one is a bit spoiled for choice when it comes to software > which handles this automatically. LetsDNS (https://letsdns.org) is what > I use and

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

* Byung-Hee HWANG via Postfix-users: > Honestly, 311 it was not easy to set up to me. These days, one is a bit spoiled for choice when it comes to software which handles this automatically. LetsDNS (https://letsdns.org) is what I use and recommend, unsurprisingly, because it is robust and easy

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

Hellow raf, > As Viktor pointed out, you're not affected, Welcome! And thanks a lot for confirmation. > but if you want to use "3 1 1", > and you use certbot for your LetsEncrypt certificates, as well as Viktor's > danebot program (https://github.com/tlsaware/danebot), my danectl program >

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

On Wed, Nov 15, 2023 at 09:44:18PM +0900, Byung-Hee HWANG via Postfix-users wrote: > Thank you for notifying us. Also i'm using 211 TLSA record. > > Honestly, 311 it was not easy to set up to me. > > Sincerely, Byung-Hee As Viktor pointed out, you're not affected, but if you want to use "3 1

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

On Wed, Nov 15, 2023 at 09:44:18PM +0900, Byung-Hee HWANG via Postfix-users wrote: > > Bottom line, if you're relying on that "2 1 1" record matching the ISRG > > root to match your Let's Encrypt chain, you're about to be disappointed, > > if you aren't already. See: > > > >

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

On Wed, Nov 15, 2023 at 10:29:41 -0500, James Cloos via Postfix-users wrote: > LE announced a while back that they would not renew the cross cert. Yes, but dropping the cross-signed X1 root cert from the default chain last week was an accident:

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

LE announced a while back that they would not renew the cross cert. Their root was expiring and they chose not to pay for a cross for the replacement. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6 ___ Postfix-users mailing list --

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

Hellow Viktor, Viktor Dukhovni via Postfix-users writes: > The DANE/DNSSEC survey () has seen a > recent spike in the number of MX hosts whose "2 1 1" TLSA records no > longer match their certificate chain. The records in question all > shar the same digest