The OP is not sufficiently familiar with the right terms of art.
He/she surely means private-CA, not found in the local trust
store, rather than self-signed server certificate.
self-signed root CA (not in Mozilla bundle)
[ intermediates ]
DANE-TA(2) works when the trust-anchor certificate matches some
*issuer* certificate in the chain provided by the server in its
"TLS certificate message". If the match is the self-signed
root CA, that certificate MUST be included in the chain for DANE
to work, even though root CAs are not typically sent with WebPKI
The lists.gentoo.example matches both an intermediate and a root,
and both are included in the server chain. So the issue to focus
on is why lists.gentoo.org (or ditto with just gentoo.org) fails.
DANE-TA(2) never matches a self-signed EE cert.
This message was posted to the following mailing lists: