I used 2 1 1 with the IdenTrust root. The main disadvantage of this, I think, is that you have to send the root in your certificate chain, which is unusual, but shouldn’t cause any problems.
hlandau
5
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| DANE and upcoming LE issuer certs | 18 | 6196 | November 25, 2020 | |
| TLSA record hygiene for Let's Encrypt issuer CAs | 17 | 575 | July 17, 2025 | |
| Understanding SMTP DANE implementation options | 13 | 6485 | October 14, 2022 | |
| A DANE-friendly Certbot workflow | 4 | 2323 | September 23, 2021 | |
| TLSA record changes with every renewal process which breaks DANE | 9 | 6203 | March 2, 2021 |