The DANE survey continues to observe a "long tail" of MX hosts with TLSA
records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.
If you're publishing TLSA records with Let's Encrypt issuer CA hashes,
the "X3" and "X4" CAs should no longer appear in your TLSA RRset. Also
be sure to use "2 1 1" and not "2 0 1" or "2 0 2" TLSA parameters.
For details see:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
The MX host counts for the various LE CAs are:
# | CA
------+----
538 | X3
248 | X4
1133 | R3
436 | R4
483 | E1
396 | E2
* The counts for X3 and X4 should by now be 0.
* Every MX host that publishes R3 should also publish R4.
* Every MX host publishing E1 should also publish E2.
* The simplest strategy is to publish all four of R3,R4,E1 and E2
--
Viktor.
Also posted to dane-users@??? and postfix-users@???