====== DANE records with Let's Encrypt ======

===== Problem =====

TLSA records announce what certificate is expected from an endpoint. Since the cert changes often, that can be tricky. One method re-uses the certificate key material so it doesn't change, but that's not very nice. We //want// to rotate the keys.

===== Setup =====

Instead of pinning the cert itself, use DANE-TA(2) to pin the currently active intermediate.


==== Compute the Intermediate TLSA RR ====

Find and download the currently used intermediate from LE's published [[https://letsencrypt.org/certificates/|Chain of Trust]]. Then compute its hash:

<file bash>
openssl x509 -in lets-encrypt-x3-cross-signed.pem -noout -pubkey |
  openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex |
  awk '{print "le-ca TLSA 2 1 1", $NF}'
</file>

Next, publish that somewhere such as at the SOA level. Don't forget to put a comment on there and set a calendar reminder to check for the new one in time.
<file>
; Let's Encrypt R3 intermediate, expires: 15. September 2025 16:00:00 GMT
le-r3._dane     3600    IN      TLSA    2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
</file>

Finally, point all service records there:
<file>
_25._tcp.mx1.sys        IN      CNAME   le-r3._dane.example.com.
</file>