I'm concerned. None of ma.gov.br
's nameservers support TCP, but their DNSKEY
record set is close to 1.2 KB.
Let's Encrypt is unable to resolve -- let alone issue certificates for -- anything under ma.gov.br
.
Let's Encrypt made the EDNS buffer size change on 2018-11-15, and haven't issued a certificate for the zone since 2018-11-14.