If Let's Encrypt really wants more agile issuer keys, you could publish in a suitable DNSSEC-signed domain (or under letsencrypt.opg
after DNSSEC-signing letsencrypt.org
) DANE-TA(2) records of as yet unexpired, active or soon to be deployed intermediate issuer CA keys.
_dane.le-signed.example. IN TLSA 2 1 1 <sha256(spki-CA-1)>
_dane.le-signed.example. IN TLSA 2 1 1 <sha256(spki-CA-2)>
...
Where unexpired means a CA for which at least some issued EE certificate has not yet expired. Then before introducing a new issuer, you could add it to the TLSA RRset in question at least a few TTLs before it mints any EE certs.
Users of Let's Encrypt could just add CNAMEs to their zones:
_25._tcp.mx1.domain.example. IN CNAME _le.domain.example.
_25._tcp.mx1.domain.example. IN CNAME _le.domain.example.
_le.domain.example. IN CNAME _dane.le-signed.example.
More operationally sophisticated users would instead periodically clone the records in question into their own zones, avoiding real-time dependency on LE's DNS.