[exim] TAKE NOTE 2: Future Let's Encrypt CA choice randomisa…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni via Exim-users
Date:  
To: exim-users
Old-Topics: [exim] TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain
New-Topics: [exim] TAKE NOTE 3: Upcoming new Let's Encrypt intemediate issuer CAs.
Subject: [exim] TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.
On Wed, Nov 15, 2023 at 12:17:50AM -0500, Viktor Dukhovni wrote:

> It must be that Let's Encrypt finally stopped by default including that
> cross certificate in their chains.


As pointed out helpfully by Geert Hendrickx on the postfix-users list:

> They plan to stop providing the cross-signed "long chain" by default
> in February 2024, and completely in June, as the cross-sign expires
> in September. Dropping it last week was unintended.


The ensuing conversation on the LE forum uncovered a second potential
future incompatibility to plan for:

    https://community.letsencrypt.org/t/short-chain-and-dane/208422/8?u=ietf-dane


Let's Encrypt are apparently also planning to *randomise* the choice of
intermediate issuer CA used with each renewal. Instead of consistently
using say "R3", they'll randomly choose one of R3/R4/E1/E2.

Therefore, anyone who publishes TLSA records for just one of the 4
issuers, will eventually also be "disappointed".

If you're using Let's Encrypt as your CA and prefer to publish
DANE-TA(2), rather than DANE-EE(3) TLSA records, please look over:

    <http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html>


carefully, and publish all four of the **required** TLSA records, for
each MX host:

    _25._tcp.mx1.org.example. IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; R3
    _25._tcp.mx1.org.example. IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; R4
    _25._tcp.mx1.org.example. IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; E1
    _25._tcp.mx1.org.example. IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; E2
    ...


or if you prefer:

    _25._tcp.mx1.org.example. IN CNAME _25._tlsa.org.example.
    _25._tcp.mx2.org.example. IN CNAME _25._tlsa.org.example.
    ...
    _25._tcp.mxN.org.example. IN CNAME _25._tlsa.org.example.
    ;
    _25._tlsa.org.example. IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; R3
    _25._tlsa.org.example. IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; R4
    _25._tlsa.org.example. IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; E1
    _25._tlsa.org.example. IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; E2


-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/