TLSA records announce what certificate is expected from an endpoint. Since the cert changes often, that can be tricky. One method re-uses the certificate key material so it doesn't change, but that's not very nice. We want to rotate the keys.

Instead of pinning the cert itself, use DANE-TA(2) to pin the currently active intermediate.

Find and download the currently used intermediate from LE's published Chain of Trust. Then compute its hash:

openssl x509 -in lets-encrypt-x3-cross-signed.pem -noout -pubkey |
  openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex |
  awk '{print "le-ca TLSA 2 1 1", $NF}'

Next, publish that somewhere such as at the SOA level. Don't forget to put a comment on there and set a calendar reminder to check for the new one in time.

; Let's Encrypt R3 intermediate, expires: 15. September 2025 16:00:00 GMT
le-r3._dane     3600    IN      TLSA    2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d

Finally, point all service records there:

_25._tcp.mx1.sys        IN      CNAME   le-r3._dane.example.com.