[exim] Please drop TLSA records matching retired Let's Encry…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: [exim] Please drop TLSA records matching retired Let's Encrypt CAs
The DANE survey continues to observe a "long tail" of MX hosts with TLSA
records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.

If you're publishing TLSA records with Let's Encrypt issuer CA hashes,
the "X3" and "X4" CAs should no longer appear in your TLSA RRset. Also
be sure to use "2 1 1" and not "2 0 1" or "2 0 2" TLSA parameters.
For details see: 

    http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html


The MX host counts for the various LE CAs are: 

      #   | CA 
    ------+----
      538 | X3
      248 | X4
     1133 | R3
      436 | R4
      483 | E1
      396 | E2


* The counts for X3 and X4 should by now be 0.
* Every MX host that publishes R3 should also publish R4.
* Every MX host publishing E1 should also publish E2.
* The simplest strategy is to publish all four of R3,R4,E1 and E2 

-- 
    Viktor.


Also posted to dane-users@??? and postfix-users@???

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Exim 4.95 releasedRe: [exim] GnuTLS vs OpenSSL->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)