test message

Wed Apr 11 20:15:12 UTC 2018

/dev/rob0 <rob0 at gmx.co.uk> writes:

> If this doesn't arrive on the list right away it might mean that 
> ISC's TLSA records were not updated yet for the new certificates. :)

Does not look like it to me:

bjorn at canardo:~$ tlsa -dv lists.isc.org
Received the following record for name _443._tcp.lists.isc.org.:
        Usage:                          3 (End-Entity [DANE-EE])
        Selector:                       0 (Certificate [Cert])
        Matching Type:                  1 (SHA-256)
        Certificate for Association:    9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
Got the following IP: 149.20.1.60
Did set servername lists.isc.org
FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (149.20.1.60)

They should probably consider the good advice found here:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022

and combine that with Viktors recommendations given here:
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html

Bjørn